Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Специ...я.exe

windows7-x64

10

Специ...я.exe

windows10-2004-x64

Fellator/P...rt.ps1

windows7-x64

8

Fellator/P...rt.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fellator/Paletter/Lowbyte/Avanceringen157/Rekrt.ps1

  • Size

    56KB

  • MD5

    2354362f1cb0a39baef7da6969832048

  • SHA1

    ed2a3597370eea69ea017af285c99d1b60556a0c

  • SHA256

    f5129323c012e960d4b1a619a95757cc81675275e4c795883004c54da5ed3bb2

  • SHA512

    a09dbc69627bd42180fe9cf8fc7234798e30296de3a2b35a0c071e7507d9a63a5dc3f0873183a8bd93e929e05ea5d647323cf2905f4550cfb8cc5ee07353999a

  • SSDEEP

    1536:cNNoZXAoFiKJ3QQkAZAheVVkK95OhXOEFcKNmRAbUmptcI:cNWZJU+Y6MOVvWUKNsA4mgI

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Fellator\Paletter\Lowbyte\Avanceringen157\Rekrt.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2232
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "2984" "1084"
        2⤵
          PID:2636
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2628

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259406072.txt
        Filesize

        1KB

        MD5

        1a7052f913ba4fc86c0e0ab48fe35934

        SHA1

        3bce6b9e16620dd05dccc3ea0ff26d89659439c0

        SHA256

        ce227917ca38320e34b8b1900586521770efedf052883d4beedbed62f7ac76d9

        SHA512

        30f1b2fa9d0b73f795c693d0dca61d1324d220b366f756fe120f4d283c1892e63b422cd6578d2ad63338df3663d84bf62f9305a574f7dcbbc99ef583c5baa180

        Download Submit

      • memory/2628-24-0x0000000002B30000-0x0000000002B40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-20-0x00000000047E0000-0x00000000047E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2628-19-0x00000000047E0000-0x00000000047E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-13-0x0000000002D90000-0x0000000002E10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-10-0x0000000002D90000-0x0000000002E10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-9-0x0000000002D90000-0x0000000002E10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-11-0x0000000002D90000-0x0000000002E10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-5-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-15-0x0000000002A30000-0x0000000002A34000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2984-17-0x0000000002D90000-0x0000000002E10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-18-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2984-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2984-7-0x0000000002D90000-0x0000000002E10000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2984-4-0x000000001B7B0000-0x000000001BA92000-memory.dmp

        Filesize

        2.9MB

        Download