Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 16:48
Static task
static1
Behavioral task
behavioral1
Sample
deimos.ps1
Resource
win7-20240215-en
General
-
Target
deimos.ps1
-
Size
12.4MB
-
MD5
3d66aa2521f3e024a926350ac22c0622
-
SHA1
e92999c0809b144c20f0ceac95e9e39cd788124a
-
SHA256
2de324d57bb96154e70958eea97713553f59025ca39220aec5d53c908cbf4645
-
SHA512
1dd56755dd7dfa322d25cf4733417e099e63ba688e6173f01ff7abe825a5c6685362bae3026908f13f0a110e2a3d0377ea9cb3457e4ae46e450be300d3af9fd0
-
SSDEEP
49152:t4h5SOsvIuP8mqGsqFnv5GQDuam+yZncMLhfbfUlSe+dPR9DV4mmabYp8Q76Xiji:C
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2816 powershell.exe 2816 powershell.exe 2816 powershell.exe 2816 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2608 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2816 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2608 AcroRd32.exe 2608 AcroRd32.exe 2608 AcroRd32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2312 2816 powershell.exe 29 PID 2816 wrote to memory of 2312 2816 powershell.exe 29 PID 2816 wrote to memory of 2312 2816 powershell.exe 29 PID 2312 wrote to memory of 2500 2312 csc.exe 30 PID 2312 wrote to memory of 2500 2312 csc.exe 30 PID 2312 wrote to memory of 2500 2312 csc.exe 30 PID 2816 wrote to memory of 2608 2816 powershell.exe 31 PID 2816 wrote to memory of 2608 2816 powershell.exe 31 PID 2816 wrote to memory of 2608 2816 powershell.exe 31 PID 2816 wrote to memory of 2608 2816 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\deimos.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znx1rruk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1527.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1516.tmp"3⤵PID:2500
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~P9341841.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2608
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59aeac8f3578293f5d9321ea28fe9d81a
SHA169f8b1ad57db2b29468fef14cfda97902aa323eb
SHA25611f04eb858cedf0a1d9a95ad035f8d883c0f1dc02b7578811a8742685151e89d
SHA512def89623e99fd0e241f82dd9d287bd36377350bc0b3302fec97027e80d652051397b1d9535f131467869a293ea28731b6de8e17f86e4e3ce93e60bfa11447eff
-
Filesize
3KB
MD54585ce7c9abb1d880b842fae1a2c959e
SHA148ac5569cd6f383d248035681219d4a93d2c7f10
SHA25639575c3c12f6d1b02fdea67b792fcefe5c63a9c158f92d5c693aa0f18633e31a
SHA5120ad855e7341ebf243d78172afc6faf20abfa4696a046c0f3b31bb4e0d1b3cff951296296de37b9b54a9f1bc50907b3afa3df90aec8d899f0512d71cdc3a71a20
-
Filesize
7KB
MD5c3be4be9d9249f006609fe944d015804
SHA142395f429c472db98cb45aa4867fbfba476dd489
SHA25630c6bed92db9623aac874c5c899f8df7fb418f91c020d80be43491f6a0f3ef98
SHA5121bb256d245d0d6c67dd45e942b1aa72b5a739f0db3f38ef9d0a04daa0c3681ad7784cb60c1008a8231969a49b040fa6e6d2227fefd36818579178e44a2aa6d22
-
Filesize
8.8MB
MD5aa81bdaeac18676979c6c846ce2f43aa
SHA1bda40a47ba5c5d0154c698961926fee1cb40554c
SHA256013f4de04da240f2cf2dd3960a2c77d1cc305bafe1e05812d9e4218a56acc03b
SHA512da549bbd27aa0ab8311dcbef0e1fb94ed1f2ecc17dc2d046e2230e43f23bb3aeed594087ed9b206af3b2540437aa293ffb47b4d9d43470e205429121a0b18254
-
Filesize
3KB
MD573da3fc61e5c70b9871e45f7594d1e08
SHA1df85494167d3fcbe1471a37ab37fa510ec513716
SHA2567fe8129086562d0693510df260679ab38e1866488a8b9d3f435ca75f53e405cb
SHA512c9af4f2329914c007bc42246de4dbb9f599e1428650998c9c1f796230786c42c8f60b0411be7c6283fb8e1f1e7f9d41d5f9578df7248e98881cb9b485a5d14b0
-
Filesize
652B
MD508103431a0dabe82859a5ba6ac14c725
SHA17f4e11357858fd8d8b5f26841adb62d8e90718a7
SHA256c060636e237e48300d4de4d717d9c9e62695bc9e00287024aa9c945518fbfb5a
SHA5125aaa9ab897dd76a65b22b5d4afff440279a09b82bde77b5e2b2eba2799617b9c86137ca3204766452e537ad0ae9e6e24f2a9241c88e0cdde911b7f82204bd7ca
-
Filesize
244B
MD5b999975748af32dd007ff48814430b26
SHA146b54a3e3be2d3497127d67b96b3f6a55d26447d
SHA256ed13935d6ac43e5ce0419aa7d162dbc70562c02dedacb81d5efdfc609a035c69
SHA512f8e48caaac395db45ac4c8a899dbd64305dd6f57fcd22919a6d880b035455286d3504b097dca250d4ea283004cb64d47e376901b8fae65f4fa792234dee9f81e
-
Filesize
309B
MD5fa671d5027e7d1a930acad79397cb020
SHA1ea2c5fd46fee4255ef44468ba14b965a22b4e014
SHA2567516db14da8ab3880c2b24fb78781098fe1ccf7b7666cbba1121578c5899c34a
SHA512f721bbf3283e9248a74e9784895aaab215ec381e56d55abb6c37f8cfa4ff9595ce38244604b58b6f645283258bd170cf3b83e8c48026a0f54886984fd4ea52c7