Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
10/07/2024, 14:45
General
-
Target
na7ena kol chay w clean.ps1
-
Size
6KB
-
MD5
0f161760a617dce88e17bca3a2a43b29
-
SHA1
69b1eacd0434d5f0e23187a370bd87ce1eb8470f
-
SHA256
7cf4969d5ef08e8c714feafa76679b1acfd55b013b9207bcbeefeb676221b587
-
SHA512
2c438ebedc5b39f7e46029b378b5832f427c247e17fac3bb632bb103bd041baf20279c0c6f16504dd10bb2145f2cb32c83115fb372e9da55810452aea1a55672
-
SSDEEP
96:2VBiIApKhdwRQUjzGN6KZ+DEtYnPuCx2OhY7ZtRfk4X7ZtvXHWfCTfTgIXkAtO8G:2TEEdwRQUjzGN6NEtYnGLRfkCIgfEAti
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\na7ena kol chay w clean.ps1"1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.0.621780202\1842060232" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ea5379a-e272-415b-944f-939cd56c76e3} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 1780 1611c2d8558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.1.334598297\40729632" -parentBuildID 20221007134813 -prefsHandle 2168 -prefMapHandle 2164 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {631e2579-616f-4605-97b4-c4d5f337e82e} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 2180 161113e3758 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.2.1242341025\2011226953" -childID 1 -isForBrowser -prefsHandle 2628 -prefMapHandle 2724 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e12b57-34da-4c28-b8ab-52d5f0b97a32} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 2760 1612059d558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.3.1020366154\362247092" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3524 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f6b502-dec4-46aa-ab3e-618ac050b91b} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 3536 16121443158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.4.2105630951\155720033" -childID 3 -isForBrowser -prefsHandle 4056 -prefMapHandle 4048 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6984d2a-d64f-4c5d-9e1e-357e25eb96ae} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 4068 16121cbba58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.5.2042155805\21640128" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4804 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2d6814b-67b1-4714-a0e0-cbd0f0554f32} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 4752 16121444958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.6.49495170\1520701564" -childID 5 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00fe925b-d013-4653-adb5-5acd4e4e7548} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 4648 161224fd858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3772.7.310548986\1597844475" -childID 6 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b656634-1e8c-4073-8840-5ce43ed2e9e5} 3772 "\\.\pipe\gecko-crash-server-pipe.3772" 5088 161224fba58 tab3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -ep Unrestriceted2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -ep Unrestricted2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD542d4b1d78e6e092af15c7aef34e5cf45
SHA16cf9d0e674430680f67260194d3185667a2bb77b
SHA256c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930
-
Filesize
2KB
MD5ca1cc0acf67c5f2c64200eb2ac514399
SHA196ab421914692f538907aeddf7ed87f9632f0802
SHA2565f84a73825b2751c8dee000e6c775674d86ced3884a134f95e14de8d59af8a10
SHA5121f0687a83eeaf2261f97fddc4661c2a98c19f56ca705e58f54e303ba4b6fd7f7a65093da713043a262941a63bf47d484c810691939043ba2a3aa3ebfe1f82138
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
6B
MD5ce09c0c29a16e458d1dd1dd4b556419f
SHA1978406ce89e2c240b5847cd8f1058ad3fdfbee67
SHA256b06e3da67c54e6b7de7f67f80d4608e35da83eba008d30d864442d2b56e9fa1f
SHA512e047e8ffa75fa8a0f7a3ab28aaf8e8b2d408cdaca79aa91bd98a6c59ae818c09f10fb2a8253968e794efa1cc9ac4704b3ac0fa76ef8ddc97ee31e2f7f291088f
-
Filesize
2KB
MD5aa7f135753c57d8b22393b0dfa2690e6
SHA1672d34eebab848bcd1cdc127059a277d33e1f919
SHA256371b363ea028bdb4071cf2660ee700e4030758fb959e4fb5be280fef682cfdf6
SHA5129c1c74c57b1eebea92d5c015b2eefdcb4856a9fec923959eb377d754f562a762513c75dfe85504d10118b4a09c571d1e7619251f5aa365b88ccf777bd30abff9
-
Filesize
10KB
MD56440bf6d575fabc509bf6f1c4f7513c0
SHA13a608fb69f49e36785ecc94c282a47685e451d99
SHA2563e829acf8e5948a51164d0553e6463ae81dbee0518962f5d7c3b7d4c546b4e67
SHA5128d35d4d186e31e946120702b59bcd646f7409c1e1fd69173823b44b57de2f052cd14a65150e9430af57da5c5246de21333daad41a47df7c20b1e31b01bbcf860
-
Filesize
746B
MD5ad68793f82976eabcd5a06013d5bdd6e
SHA1fa43d7fabfa4d67ee6d51f11b908dbc7490e97f0
SHA2567b61f895207edd0b61c6606b00f340fc0f4efa1215c510a07acbc9819b3f6bf1
SHA512348ffa775e5c6594dca7d74375694b1907e31d265d8e705890205905ca1a1347d16725ec118d0e9b4b6168f1bede64a03455666d2809fab6bac1381a49123619
-
Filesize
6KB
MD5634d2f955b1cedc2d7615920642f1522
SHA136cd56827fe5cea7c4b0f4038b63e5ef12a6eb2a
SHA256970d41bec773aee196a4188a2ff6379b5a964022403bfceb4b059d9c6a268e8c
SHA51293ae51d5f9e41114f241f871debcab7a3e06f07ce540799e3b0aa775bdebfd2e390700f1a7fb1bed40d9d1c5a2ff8a70ff2fc790064a332044d67bfb8fa18480
-
Filesize
6KB
MD59a178715216614613df5b3b7f58c499e
SHA1e750b449492bf5fccbe8915bb4aca2a92f6960e7
SHA256d541911836b5b693d0f90e248260c2ba3bc1b51a531c98fe29ed5bb5e13b9d9f
SHA512fba9486e8c28c2cef8c83d18ba7058411ac65c77d2df4d60957db1b1dfe63232885157e6984dc50807292daca8dfb8f0bf1d953a9430402e334794632ff035a9
-
Filesize
6KB
MD59750d9053bc3ab12c9d9b7c7c87417fd
SHA10d7105d04836a5ba90199c4308bd78facaad7f27
SHA256a648aceec1b0743b1dd5433da72c087f102546b0d615a65f72ddb92bc8398b68
SHA512aecbb667079c098d63e9cb13eaaceb2e6006f65ad0a46263f81d02163fff4b652e64894caff29cd131999b311f684804c058e37a45939a69dcbc40f1c94fdff2
-
Filesize
1KB
MD5242dc280fd5c6d504387132653c9ec85
SHA13aaa1a51f2f3de2af0c95a0b21d435b261ac0273
SHA25656a393ef8d4ddc42a9cf1006fe1fc0ee34fbfdad13594ed34a3900fa822f2972
SHA51212b82485104b4d966174d259bd897c6e2a4e7c9fc51830ea6eeb23cfbc1dd1387b5d70def6e513e992c84cf87f9b2671b1a03f17142d4a55cf19ed3d757efed1
-
Filesize
120KB
-
Filesize
9.9MB
-
Filesize
472KB
-
Filesize
136KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
240KB