Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

3137663df9...0b.exe

windows7-x64

10

3137663df9...0b.exe

windows10-2004-x64

10

Borteskamo...of.ps1

windows7-x64

8

Borteskamo...of.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Borteskamoteringers/Fridtjof.ps1

  • Size

    58KB

  • MD5

    b747bba9cd5ec658f83a8f004b9ddc9b

  • SHA1

    eb25e589a4de7af6afd91ccaf9c12f30aaf3c67a

  • SHA256

    4fc178d7b0c912917422d5259e796c28f38a765bc3f56fa14df7480b49a0f2f2

  • SHA512

    7e115a0e8cc9b16cd7eeafc6aa6635815763384ab543bb92308c197af849a49e9109f775652151617dc094862313109830091f5d203f582a887595b81b875d9e

  • SSDEEP

    1536:ft7VcOuMK0tpHzCNB2PPEcs2WlyRRpAbeKbKCU:f7QgJzMB2kcs2qHbeKuCU

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Borteskamoteringers\Fridtjof.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2896
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "2172" "1140"
        2⤵
          PID:2380
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259434203.txt
        Filesize

        1KB

        MD5

        66cff9c5f9606362bf3434ef9cb971dc

        SHA1

        3efc0831052f12945cfed0df06a566be08bc7f46

        SHA256

        121c166466b0eab950cdc89efda1442a0da349b4a1c6458600fc97d83570d34a

        SHA512

        282a1910348d6ea830e58f86eab0c277bd059e9f645d0ba104faa1e2a8b2a387dde34a4344b4e59a3fdd2afd0af32cd9f5012572435d1586fdb44720669c61b8

        Download Submit

      • memory/2172-13-0x00000000027B0000-0x0000000002830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2172-17-0x00000000027B0000-0x0000000002830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2172-7-0x00000000027B0000-0x0000000002830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2172-9-0x00000000027B0000-0x0000000002830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2172-8-0x00000000027B0000-0x0000000002830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2172-11-0x00000000027B0000-0x0000000002830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2172-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2172-14-0x000000001B9E0000-0x000000001B9E4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2172-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2172-5-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2172-4-0x000000001B270000-0x000000001B552000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2172-18-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2596-19-0x00000000042C0000-0x00000000042C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-20-0x00000000042C0000-0x00000000042C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2596-24-0x00000000027A0000-0x00000000027B0000-memory.dmp

        Filesize

        64KB

        Download