Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1484s -
max time network
1454s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/02/2024, 00:01
Static task
static1
Behavioral task
behavioral1
Sample
decode_Fakeupdate.ps1
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
decode_Fakeupdate.ps1
Resource
win10-20240214-en
Behavioral task
behavioral3
Sample
decode_Fakeupdate.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
decode_Fakeupdate.ps1
Resource
win11-20240214-en
General
-
Target
decode_Fakeupdate.ps1
-
Size
4KB
-
MD5
de20d86ec1a1e85bfbc5745a03a38e51
-
SHA1
3558b1d1c1049f8852a79162e98ad201f1ba5426
-
SHA256
ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5
-
SHA512
243ddbc84f0ca0f319f68028e39331f196c6085756a12820f78f996a47700ecf8066b681d265ecdbcead4439ec67e307e739acd2a07a759cb001b4170d501b9b
-
SSDEEP
96:lrlrvxj+/ZFAAIxnkIh3qa9RDyj5tsMemPYTall:l5IjMku6e1yjXsMemPYOll
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 20 4220 WScript.exe 21 4220 WScript.exe 22 4220 WScript.exe 23 4220 WScript.exe 26 4408 WScript.exe 27 2908 WScript.exe 30 1880 WScript.exe 35 4112 WScript.exe 36 1896 WScript.exe 38 4512 CScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3513082673-3003704585-445662156-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3513082673-3003704585-445662156-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3513082673-3003704585-445662156-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2300 powershell.exe 2300 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2456 OpenWith.exe 4296 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2300 powershell.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe 2456 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1880 1820 cmd.exe 89 PID 1820 wrote to memory of 1880 1820 cmd.exe 89
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decode_Fakeupdate.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:760
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:4220
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:4408
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:2908
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"2⤵
- Blocklisted process makes network request
PID:1880
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:4112
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2456
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:1896
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4296
-
C:\Windows\System32\CScript.exe"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"1⤵
- Blocklisted process makes network request
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
317B
MD5dd982383a2370b4ffbee127c259c9bf6
SHA132a17db6fff1558e9c58e0a0b4f9ae716739f60f
SHA256e09c36d4677c9986b0766345054bd522b0b7352b5b1bf60762ef925b925d0668
SHA512696a59808de4d380f4c89eb512472200315cc7c1d4d3e5abd7a71639f2eed273dfe8a1943556f367e1debbb3f504ce235ddf58056e3947596ba67c040c78c6b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize1KB
MD5a99377a27910f2447a1d4c78a1d55540
SHA12d82c4bd9ef86fae0cede0bde4d85a52304c5cb2
SHA256cd3094c0df506297237c88653680d7a4e83e613696e78c30b99e428fde3c4b48
SHA512406df06cbe6c28a5908bd66ab0f0d71b7e06ef8347410850f97188cfc5575c471ea388a12c5d93dbace884f8328df7ad828940b6c442e691e72d73fa8bc853a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19
Filesize977B
MD550cb447f2a8f99cb126cb51392696c7f
SHA180c4b991dd02b94f2d96eb07da7f197d5e3196a9
SHA2560d00728a79f840f071f85740efff9a27ec0c7d1f489511b5b7c4c861767aa059
SHA512d99eb91f441ba2fddbb6bd0f7a19d51452a5d45fd24315ddfb1f744d2866b3d4d481e2aef38f1eff31f5434979439c4415780b7e6b0d9f15b4a56f9cb2d3d97c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\518DFDD116D9AD0210609502E2F95908
Filesize508B
MD5d2c73a0502ecbdaf161f585cb3655629
SHA148f22d578468bc4da0b747db084f7ef6d57d89e0
SHA256377ca858e18f5d8b2c92e828d444d76e3dc04e4ba719eecaf422a845b6bbacd6
SHA512a3b8662e5f4cec882e2dc559f3cc671ca870fd9331ff912ddcff9654c82daf9a9d8f1f52a455524da512ab84a24942f62f1150e3daa157573e5d1f9bd36efe9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize482B
MD538c062118b639a21cedf74faa4423e1a
SHA1dd97088cd20b8d5b38b832c0c820491eb14449fa
SHA2565b28e83ea66f1c8f355292a61bc0b6e705b619535aeeafc7ecbf13c3799eef3e
SHA51230e9bd0030e0f89da956c01a02e1188e62c82fa03b44ff6a9c6f4523ff9e202dcd8df7ffb9d75fba403e278bbebd15a98011479ab03c745290feff45631d6f94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19
Filesize484B
MD55034bd3945ed66eac71b25936efec1d4
SHA1b9e9744d7574df0497d0957916f118f643270e21
SHA256c399acdf8143c046af3d13faea35ef3f255d3e1af10123269a80c0e0d91165ef
SHA5122d33da6cd0e026fc426fe730d53eb8f27022a46bedd309f87da1ca171dfcf2a9bec1c0735427cf9f7ee9b08e22d9a6401c54211799e74fe953f5522651048f55
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82