Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
file.ps1
Resource
win7-20240705-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.ps1
Resource
win11-20240802-en
4 signatures
150 seconds
General
-
Target
file.ps1
-
Size
27B
-
MD5
c729d940eb78e927afcba4046543d8f8
-
SHA1
3522981616693e8b12ca21a51f07b98a5008a075
-
SHA256
e92d9cf98abe2f1821e4c426d493fe3378661520e6f961e734258338fc5921d4
-
SHA512
8aa7d80e1216d0f82a4056f2cf152ec96a74c04e9e6b903dc9614a7a45e1bf2f150db0028b5bc285b0b4222b179c120b08a87d57e9accbed360d8a9cf4e2d642
Score
3/10
Malware Config
Signatures
-
pid Process 2652 powershell.exe -
Kills process with taskkill 1 IoCs
pid Process 2940 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2940 taskkill.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2940 2652 powershell.exe 31 PID 2652 wrote to memory of 2940 2652 powershell.exe 31 PID 2652 wrote to memory of 2940 2652 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im svchost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:1880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2208
-
C:\Windows\system32\calc.exe"C:\Windows\system32\calc.exe"1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:2264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:2936