Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

windows.ps1

windows10-1703-x64

8

windows.ps1

windows10-2004-x64

8

windows.ps1

windows11-21h2-x64

8

Analysis

  • max time kernel
    1750s
  • max time network
    1799s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/07/2024, 09:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.ps1

  • Size

    467B

  • MD5

    63f6c82077c4c39d6d9101409b16a668

  • SHA1

    09d1960993c90f39607f437a2106b65db7aeae29

  • SHA256

    18284686feab2a0753bd0059a64004d8b86bb47048065cba12d323efbb6cc891

  • SHA512

    3bbf47af04fae3e7fd921bf1319e652c879d6132d4ea495cb7d6f47a38b9a4fb09f7be4af14c2d0c7357febd893c16639268dc82ec3b9194d0d4dc54723e1a34

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe
      "C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe" -a verus -o stratum+tcp://de.vipor.net:5040 -u RHACKERwSVgjTvV4vNiTjmrkLTD7a92ALD.Windows -p x -t 2
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:2860

    Network

    • flag-us
      DNS
      raw.githubusercontent.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      raw.githubusercontent.com
      IN A
      Response
      raw.githubusercontent.com
      IN A
      185.199.111.133
      raw.githubusercontent.com
      IN A
      185.199.110.133
      raw.githubusercontent.com
      IN A
      185.199.109.133
      raw.githubusercontent.com
      IN A
      185.199.108.133
    • flag-us
      DNS
      133.111.199.185.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      133.111.199.185.in-addr.arpa
      IN PTR
      Response
      133.111.199.185.in-addr.arpa
      IN PTR
      cdn-185-199-111-133githubcom
    • flag-us
      DNS
      205.34.195.51.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      205.34.195.51.in-addr.arpa
      IN PTR
      Response
      205.34.195.51.in-addr.arpa
      IN PTR
      ip205 ip-51-195-34eu
    • flag-us
      DNS
      self.events.data.microsoft.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprduks04.uksouth.cloudapp.azure.com
      onedscolprduks04.uksouth.cloudapp.azure.com
      IN A
      51.104.15.253
    • flag-us
      DNS
      login.live.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      login.live.com
      IN A
      Response
      login.live.com
      IN CNAME
      login.msa.msidentity.com
      login.msa.msidentity.com
      IN CNAME
      www.tm.lg.prod.aadmsa.trafficmanager.net
      www.tm.lg.prod.aadmsa.trafficmanager.net
      IN CNAME
      prdv4a.aadg.msidentity.com
      prdv4a.aadg.msidentity.com
      IN CNAME
      www.tm.v4.a.prd.aadg.akadns.net
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.4
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.73
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      40.126.31.69
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.0
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.68
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.75
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.64
      www.tm.v4.a.prd.aadg.akadns.net
      IN A
      20.190.159.23
    • flag-us
      DNS
      ocsp.digicert.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.com
      IN A
      Response
      ocsp.digicert.com
      IN CNAME
      ocsp.edge.digicert.com
      ocsp.edge.digicert.com
      IN CNAME
      fp2e7a.wpc.2be4.phicdn.net
      fp2e7a.wpc.2be4.phicdn.net
      IN CNAME
      fp2e7a.wpc.phicdn.net
      fp2e7a.wpc.phicdn.net
      IN A
      192.229.221.95
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      10.28.171.150.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      10.28.171.150.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      10.27.171.150.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      10.27.171.150.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      de.vipor.net
      Remote address:
      8.8.8.8:53
      Request
      de.vipor.net
      IN A
      Response
      de.vipor.net
      IN CNAME
      de.vipordns.net
      de.vipordns.net
      IN A
      51.195.34.205
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.227.14
    • flag-us
      DNS
      253.15.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      253.15.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      ctldl.windowsupdate.com.delivery.microsoft.com
      ctldl.windowsupdate.com.delivery.microsoft.com
      IN CNAME
      wu-b-net.trafficmanager.net
      wu-b-net.trafficmanager.net
      IN CNAME
      wu.azureedge.net
      wu.azureedge.net
      IN CNAME
      wu.ec.azureedge.net
      wu.ec.azureedge.net
      IN CNAME
      bg.apr-52dd2-0503.edgecastdns.net
      bg.apr-52dd2-0503.edgecastdns.net
      IN CNAME
      hlb.apr-52dd2-0.edgecastdns.net
      hlb.apr-52dd2-0.edgecastdns.net
      IN CNAME
      cs11.wpc.v0cdn.net
      cs11.wpc.v0cdn.net
      IN A
      93.184.221.240
    • flag-us
      DNS
      4.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
      Response
      arc.msn.com
      IN CNAME
      arc.trafficmanager.net
      arc.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com
      IN A
      20.103.156.88
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      ctldl.windowsupdate.com.delivery.microsoft.com
      ctldl.windowsupdate.com.delivery.microsoft.com
      IN CNAME
      wu-b-net.trafficmanager.net
      wu-b-net.trafficmanager.net
      IN CNAME
      bg.microsoft.map.fastly.net
      bg.microsoft.map.fastly.net
      IN A
      199.232.214.172
      bg.microsoft.map.fastly.net
      IN A
      199.232.210.172
    • flag-us
      DNS
      ctldl.windowsupdate.com
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      ctldl.windowsupdate.com.delivery.microsoft.com
      ctldl.windowsupdate.com.delivery.microsoft.com
      IN CNAME
      wu-b-net.trafficmanager.net
      wu-b-net.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      2.22.144.81
      a767.dspw65.akamai.net
      IN A
      2.22.144.73
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • 185.199.111.133:443
      raw.githubusercontent.com
      tls
      powershell.exe
      27.3kB
       1.5MB
       574
      1062
    • 51.195.34.205:5040
      de.vipor.net
      ccminer.exe
      397.8kB
       79.6kB
       610
      390
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls
      97.9kB
       2.5MB
       1805
      1800
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      14
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      135.2kB
       3.9MB
       2821
      2814
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 8.8.8.8:53
      raw.githubusercontent.com
      dns
      powershell.exe
      849 B
       1.9kB
       12
      12

      DNS Request

      raw.githubusercontent.com

      DNS Response

      185.199.111.133
      185.199.110.133
      185.199.109.133
      185.199.108.133

      DNS Request

      133.111.199.185.in-addr.arpa

      DNS Request

      205.34.195.51.in-addr.arpa

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      51.104.15.253

      DNS Request

      login.live.com

      DNS Response

      20.190.159.4
      20.190.159.73
      40.126.31.69
      20.190.159.0
      20.190.159.68
      20.190.159.75
      20.190.159.64
      20.190.159.23

      DNS Request

      ocsp.digicert.com

      DNS Response

      192.229.221.95

      DNS Request

      240.221.184.93.in-addr.arpa

      DNS Request

      88.156.103.20.in-addr.arpa

      DNS Request

      172.214.232.199.in-addr.arpa

      DNS Request

      81.144.22.2.in-addr.arpa

      DNS Request

      10.28.171.150.in-addr.arpa

      DNS Request

      10.27.171.150.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      731 B
       2.0kB
       11
      11

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      de.vipor.net

      DNS Response

      51.195.34.205

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.227.14

      DNS Request

      253.15.104.51.in-addr.arpa

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      93.184.221.240

      DNS Request

      4.159.190.20.in-addr.arpa

      DNS Request

      arc.msn.com

      DNS Response

      20.103.156.88

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      199.232.214.172
      199.232.210.172

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      2.22.144.81
      2.22.144.73

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.28.10
      150.171.27.10

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkibd14n.v4b.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ccminer\ccminer\ccminer.exe
      Filesize

      652KB

      MD5

      153e4364a395b282b983dfc2c5884105

      SHA1

      9147a6afa63bd7d7e451c693e362730c692781e1

      SHA256

      6a1077166de9d1cc6fceaf6da6f8c5e1c8d9d5f99f3ab845b9790fc6d395d896

      SHA512

      378fe8b9ae243d5844243999a909ab45216920d63149b39be521e5212533f0dc30e8620c6285738e1100618f44d1576b3ccd9aa27b0e65b29a3ca1937047173d

      Download Submit

    • memory/4188-11-0x00000289A87F0000-0x00000289A881A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4188-10-0x00007FFF37A50000-0x00007FFF38512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-12-0x00000289A87F0000-0x00000289A8814000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4188-13-0x00007FFF37A50000-0x00007FFF38512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-0-0x00007FFF37A53000-0x00007FFF37A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4188-14-0x00007FFF37A50000-0x00007FFF38512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-16-0x00007FFF37A50000-0x00007FFF38512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-18-0x00000289A87F0000-0x00000289A87FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4188-17-0x00000289A8800000-0x00000289A8812000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4188-1-0x00000289A8720000-0x00000289A8742000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4188-34-0x00007FFF37A50000-0x00007FFF38512000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-33-0x00007FFF37A53000-0x00007FFF37A55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4188-35-0x00007FFF37A50000-0x00007FFF38512000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.