Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
359s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
code.ps1
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
code.ps1
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral3
Sample
code.ps1
Resource
android-x64-20240624-en
Behavioral task
behavioral4
Sample
code.ps1
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral5
Sample
code.ps1
Resource
macos-20240611-en
General
-
Target
code.ps1
-
Size
12B
-
MD5
9076483f9473251c946cb3f675f2007a
-
SHA1
ec28ed46fd5e5d1b9cb4b332a85889757b7af4e2
-
SHA256
dd69129f2285514fff0937e3b895eae52011e620e767ab4f7488511afb0f7052
-
SHA512
f62ff063851bd7f2b113de9d3de8c1ae96aadc219c6515d4f75779fff9a450f3ee57958369e43ec2f04ddc4d33114835f8a8ab323a2334645d72f92259b4c796
Malware Config
Signatures
-
pid Process 1700 powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2672 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1700 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2672 1700 powershell.exe 29 PID 1700 wrote to memory of 2672 1700 powershell.exe 29 PID 1700 wrote to memory of 2672 1700 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" fbi.gov2⤵
- Runs ping.exe
PID:2672
-