Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1484s
  • max time network
    1454s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/02/2024, 00:01

General

  • Target

    decode_Fakeupdate.ps1

  • Size

    4KB

  • MD5

    de20d86ec1a1e85bfbc5745a03a38e51

  • SHA1

    3558b1d1c1049f8852a79162e98ad201f1ba5426

  • SHA256

    ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5

  • SHA512

    243ddbc84f0ca0f319f68028e39331f196c6085756a12820f78f996a47700ecf8066b681d265ecdbcead4439ec67e307e739acd2a07a759cb001b4170d501b9b

  • SSDEEP

    96:lrlrvxj+/ZFAAIxnkIh3qa9RDyj5tsMemPYTall:l5IjMku6e1yjXsMemPYOll

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decode_Fakeupdate.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2300
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:760
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
      1⤵
      • Blocklisted process makes network request
      PID:4220
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
      1⤵
      • Blocklisted process makes network request
      PID:4408
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
      1⤵
      • Blocklisted process makes network request
      PID:2908
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
        2⤵
        • Blocklisted process makes network request
        PID:1880
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
      1⤵
      • Blocklisted process makes network request
      PID:4112
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2456
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
      1⤵
      • Blocklisted process makes network request
      PID:1896
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4296
    • C:\Windows\System32\CScript.exe
      "C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
      1⤵
      • Blocklisted process makes network request
      PID:4512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\518DFDD116D9AD0210609502E2F95908

      Filesize

      317B

      MD5

      dd982383a2370b4ffbee127c259c9bf6

      SHA1

      32a17db6fff1558e9c58e0a0b4f9ae716739f60f

      SHA256

      e09c36d4677c9986b0766345054bd522b0b7352b5b1bf60762ef925b925d0668

      SHA512

      696a59808de4d380f4c89eb512472200315cc7c1d4d3e5abd7a71639f2eed273dfe8a1943556f367e1debbb3f504ce235ddf58056e3947596ba67c040c78c6b6

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

      Filesize

      1KB

      MD5

      a99377a27910f2447a1d4c78a1d55540

      SHA1

      2d82c4bd9ef86fae0cede0bde4d85a52304c5cb2

      SHA256

      cd3094c0df506297237c88653680d7a4e83e613696e78c30b99e428fde3c4b48

      SHA512

      406df06cbe6c28a5908bd66ab0f0d71b7e06ef8347410850f97188cfc5575c471ea388a12c5d93dbace884f8328df7ad828940b6c442e691e72d73fa8bc853a7

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

      Filesize

      977B

      MD5

      50cb447f2a8f99cb126cb51392696c7f

      SHA1

      80c4b991dd02b94f2d96eb07da7f197d5e3196a9

      SHA256

      0d00728a79f840f071f85740efff9a27ec0c7d1f489511b5b7c4c861767aa059

      SHA512

      d99eb91f441ba2fddbb6bd0f7a19d51452a5d45fd24315ddfb1f744d2866b3d4d481e2aef38f1eff31f5434979439c4415780b7e6b0d9f15b4a56f9cb2d3d97c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\518DFDD116D9AD0210609502E2F95908

      Filesize

      508B

      MD5

      d2c73a0502ecbdaf161f585cb3655629

      SHA1

      48f22d578468bc4da0b747db084f7ef6d57d89e0

      SHA256

      377ca858e18f5d8b2c92e828d444d76e3dc04e4ba719eecaf422a845b6bbacd6

      SHA512

      a3b8662e5f4cec882e2dc559f3cc671ca870fd9331ff912ddcff9654c82daf9a9d8f1f52a455524da512ab84a24942f62f1150e3daa157573e5d1f9bd36efe9a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

      Filesize

      482B

      MD5

      38c062118b639a21cedf74faa4423e1a

      SHA1

      dd97088cd20b8d5b38b832c0c820491eb14449fa

      SHA256

      5b28e83ea66f1c8f355292a61bc0b6e705b619535aeeafc7ecbf13c3799eef3e

      SHA512

      30e9bd0030e0f89da956c01a02e1188e62c82fa03b44ff6a9c6f4523ff9e202dcd8df7ffb9d75fba403e278bbebd15a98011479ab03c745290feff45631d6f94

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

      Filesize

      484B

      MD5

      5034bd3945ed66eac71b25936efec1d4

      SHA1

      b9e9744d7574df0497d0957916f118f643270e21

      SHA256

      c399acdf8143c046af3d13faea35ef3f255d3e1af10123269a80c0e0d91165ef

      SHA512

      2d33da6cd0e026fc426fe730d53eb8f27022a46bedd309f87da1ca171dfcf2a9bec1c0735427cf9f7ee9b08e22d9a6401c54211799e74fe953f5522651048f55

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fttjtoni.h1o.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2300-0-0x000001DF54250000-0x000001DF54272000-memory.dmp

      Filesize

      136KB

    • memory/2300-10-0x000001DF542C0000-0x000001DF542D0000-memory.dmp

      Filesize

      64KB

    • memory/2300-11-0x000001DF542C0000-0x000001DF542D0000-memory.dmp

      Filesize

      64KB

    • memory/2300-9-0x00007FFE72C60000-0x00007FFE73722000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-15-0x00007FFE72C60000-0x00007FFE73722000-memory.dmp

      Filesize

      10.8MB