Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

Kematian-m...ME.ps1

windows7-x64

3

Kematian-m...ME.ps1

windows10-2004-x64

3

Kematian-m...er.bat

windows7-x64

1

Kematian-m...er.bat

windows10-2004-x64

1

Kematian-m...est.py

windows7-x64

3

Kematian-m...est.py

windows10-2004-x64

3

Kematian-m...vm.ps1

windows7-x64

3

Kematian-m...vm.ps1

windows10-2004-x64

3

Kematian-main/main.py

windows7-x64

3

Kematian-main/main.py

windows10-2004-x64

3

Kematian-m...ver.py

windows7-x64

3

Kematian-m...ver.py

windows10-2004-x64

3

Kematian-m...ler.py

windows7-x64

3

Kematian-m...ler.py

windows10-2004-x64

3

Kematian-m...ler.py

windows7-x64

3

Kematian-m...ler.py

windows10-2004-x64

3

Kematian-m...tml.py

windows7-x64

3

Kematian-m...tml.py

windows10-2004-x64

3

Kematian-m...ges.py

windows7-x64

3

Kematian-m...ges.py

windows10-2004-x64

3

Kematian-m...ner.py

windows7-x64

3

Kematian-m...ner.py

windows10-2004-x64

3

Kematian-m...ain.py

windows7-x64

3

Kematian-m...ain.py

windows10-2004-x64

3

Kematian-m...ypt.py

windows7-x64

3

Kematian-m...ypt.py

windows10-2004-x64

3

Kematian-m...ors.py

windows7-x64

3

Kematian-m...ors.py

windows10-2004-x64

3

Kematian-m...ime.py

windows7-x64

3

Kematian-m...ime.py

windows10-2004-x64

3

Kematian-m...ger.py

windows7-x64

3

Kematian-m...ger.py

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 12:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kematian-main/frontend-src/antivm.ps1

  • Size

    6KB

  • MD5

    296f3b3bd61aea4469ac394414ff7593

  • SHA1

    1398a63edd7f41e8d115cb0cd52173f6d2ccea7e

  • SHA256

    5fcbb655f62ef6f549ce387796db9b56973c048d276c2872565fff32ec84371c

  • SHA512

    c2880422dcf428f2a8308d421d2f9f6368d7e58f9838f831e08b4c565c2af17fd79ca57905d88bca8ecbcf8a141b936d77896c199ef35baa7ca184ed890dd542

  • SSDEEP

    192:Nx+lLbherrTi1ZXzjxrGCyma8qcfg7vrBL5y:DylxLb8zy

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Kematian-main\frontend-src\antivm.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5064

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=23A7A91EE388607D37C2BDCCE2AF611C; domain=.bing.com; expires=Sat, 30-Aug-2025 12:58:11 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A317C6D0375F4C388D0ED0AB5741E664 Ref B: LON04EDGE0611 Ref C: 2024-08-05T12:58:11Z
    date: Mon, 05 Aug 2024 12:58:11 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=23A7A91EE388607D37C2BDCCE2AF611C
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=HBDtX2vMFiKayxRmZU5EaNhJshTB5NOPUsczc2FO_LI; domain=.bing.com; expires=Sat, 30-Aug-2025 12:58:11 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8CAD9BCDCB1A40FF90C45DA3FB18C04C Ref B: LON04EDGE0611 Ref C: 2024-08-05T12:58:11Z
    date: Mon, 05 Aug 2024 12:58:11 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=23A7A91EE388607D37C2BDCCE2AF611C; MSPTC=HBDtX2vMFiKayxRmZU5EaNhJshTB5NOPUsczc2FO_LI
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B5F857B36C6043098685A6878622D554 Ref B: LON04EDGE0611 Ref C: 2024-08-05T12:58:11Z
    date: Mon, 05 Aug 2024 12:58:11 GMT
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d65ee94630a64f6dbcc4ded616f2361e&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cinidolj.2uu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/5064-0-0x00007FFBE1993000-0x00007FFBE1995000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5064-10-0x0000014EC0D50000-0x0000014EC0D72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5064-11-0x00007FFBE1990000-0x00007FFBE2451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-12-0x00007FFBE1990000-0x00007FFBE2451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-13-0x00007FFBE1990000-0x00007FFBE2451000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.