Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
472s -
max time network
439s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25/04/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
file.ps1
Resource
win10-20240404-en
General
-
Target
file.ps1
-
Size
19B
-
MD5
d297f8427954b956e7676e1df8ac5c5d
-
SHA1
92efbb85acdb95ce97848cd39eb642ee9ed30176
-
SHA256
1981f33487cf5b907de5ed1d44ccd5f0664248b54ed99d7f526cd67ff0b43d2a
-
SHA512
efb5ae08929d5bf9e175212ff2aae3c91b9f11f8698a752c685a574e84925c2aad02536b6ba3de367f144905c30693f60babd8f3415e22990e30ab6747ea7141
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe File created C:\Windows\System32\LogonUI.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2908 powershell.exe 2908 powershell.exe 2908 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 2396 PowerShell.exe 2396 PowerShell.exe 2396 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 2396 PowerShell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4040 wrote to memory of 4088 4040 cmd.exe 90 PID 4040 wrote to memory of 4088 4040 cmd.exe 90 PID 4040 wrote to memory of 5088 4040 cmd.exe 91 PID 4040 wrote to memory of 5088 4040 cmd.exe 91
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4616
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Windows'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start cmd.exe /k @echo a 1>C:\Windows"2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo a 1>C:\Windows"2⤵PID:5088
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c6b0a774fa56e0169ed7bb7b25c114dd
SHA1bcdba7d4ecfff2180510850e585b44691ea81ba5
SHA256b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9
SHA51242295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446
-
Filesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
21B
MD505e322bed267ef3aed20d4b11cf8e807
SHA1c1068c7a77edfdb200b285f439fc4d7d76af0da8
SHA256e604eb19ce1b369745727491a1ec8f15f19a4ab94165d46191ca73e6edd911c2
SHA512733776998c18c17a9b09c9907811f8725f47b0829b46ea560d94f94d1b5501d32de6250009b0b42acdd3496f7846932638fda932c3b9d7f248a87039519ec91e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize5KB
MD53fe60d3e64fde51cc52dedda293bd0e3
SHA1857cc97e1028a2b0e97030f04d9bb52e584ffc3a
SHA256c628a9f17b4809e70f55c1ae840039be6b0bc3b0a25a45d9104116a807d1d2c6
SHA512860ac0726ff5440ba1379a753b38f1047430eef0a68fdb626452f7d2a49ddacbf3bba4d5ee686fd348d561ac05e1b67d7b7b657db97b76ad5063aac84733e1ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5e3aaf00d8d9b048dbe9bf7d38ca6edce
SHA1f181a5b0ec2fbf405741793c51d4d5b90f2b6b08
SHA25686ae34e729e2dad18fb1669d98252c7ef39588e1c918de4ccfa4da3d9456bca3
SHA51241009587ceb4f6fad7f891c97e6965270b867cd98d10234d391dd87dd3dd1e15f2f35e3e14d87044d728e1a99a684088076ac0ce419a1259b619b827ff574777