Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

UMMAN İHR...33.exe

windows7-x64

10

UMMAN İHR...33.exe

windows10-2004-x64

Vitaminern...es.ps1

windows7-x64

8

Vitaminern...es.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2024, 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vitaminerne/Taksonomiske24/Trephining/Piloters/Recepternes.ps1

  • Size

    57KB

  • MD5

    24e44ec408c4fb8b429adb0ee5869985

  • SHA1

    1913f35995281fec0c9f586fd73d6a2f4e64a5ca

  • SHA256

    cf1db414b602f31a34655222809a3542f96a8ffcf0e43dfdbc341192f8298f71

  • SHA512

    76b152a80b4f9537c1cd3fb6209021040946c0e7c75fe907f9b95e9f4446b2f12ef54be9721de7b13929df0e1d555db38f470d43f9142b4c1b87e74768819425

  • SSDEEP

    1536:sHoiMTmNr5n2YDREJfm7g0ctkXRR7f8zYXJ4l:QoxOHifKciRdf8zYK

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Vitaminerne\Taksonomiske24\Trephining\Piloters\Recepternes.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2720
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "2020" "1096"
        2⤵
          PID:1924
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259415804.txt
        Filesize

        1KB

        MD5

        285d8b2ad9f2ded6b763d9dcf4534ba0

        SHA1

        87e320881f5abc9152b36763aa5f73cad72c0e0c

        SHA256

        222f8c2297b59057cd07d28888c79bcc6f93e2c325db4c77798759d1ea467576

        SHA512

        2519045d2333d5b6d2d0ca89e16c36a5c5ed7596ada1eea9c1461326e3a6024aac6611dcbf94e8545137dd35f8eefe2d51913d1f94eed3cab65826ef48fa10f1

        Download Submit

      • memory/2020-13-0x0000000002760000-0x00000000027E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2020-17-0x0000000002760000-0x00000000027E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2020-6-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2020-8-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2020-9-0x0000000002760000-0x00000000027E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2020-10-0x0000000002760000-0x00000000027E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2020-7-0x0000000002760000-0x00000000027E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2020-14-0x000000001B660000-0x000000001B664000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2020-11-0x0000000002760000-0x00000000027E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2020-5-0x0000000002390000-0x0000000002398000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2020-4-0x000000001B1B0000-0x000000001B492000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2020-18-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2636-19-0x0000000004320000-0x0000000004321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2636-20-0x0000000004320000-0x0000000004321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2636-24-0x00000000037F0000-0x0000000003800000-memory.dmp

        Filesize

        64KB

        Download