Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

file.ps1

windows7-x64

3

file.ps1

windows11-21h2-x64

Resubmissions

19/08/2024, 20:44

240819-zh79qavcqh 3

19/08/2024, 20:43

240819-zhvzdsyfkr 3

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.ps1

  • Size

    27B

  • MD5

    c729d940eb78e927afcba4046543d8f8

  • SHA1

    3522981616693e8b12ca21a51f07b98a5008a075

  • SHA256

    e92d9cf98abe2f1821e4c426d493fe3378661520e6f961e734258338fc5921d4

  • SHA512

    8aa7d80e1216d0f82a4056f2cf152ec96a74c04e9e6b903dc9614a7a45e1bf2f150db0028b5bc285b0b4222b179c120b08a87d57e9accbed360d8a9cf4e2d642

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im svchost.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:2972
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      1⤵
        PID:2080
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        1⤵
          PID:1484
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs
          1⤵
            PID:2252
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            1⤵
              PID:708
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs
              1⤵
                PID:2608
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs
                1⤵
                  PID:2804
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs
                  1⤵
                    PID:2104
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs
                    1⤵
                      PID:1636
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      1⤵
                        PID:2040
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        1⤵
                          PID:1852
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          1⤵
                            PID:1880
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            1⤵
                              PID:2168
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs
                              1⤵
                                PID:2208
                              • C:\Windows\system32\calc.exe
                                "C:\Windows\system32\calc.exe"
                                1⤵
                                  PID:1460
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs
                                  1⤵
                                    PID:2232
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
                                    1⤵
                                      PID:2264
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs
                                      1⤵
                                        PID:2988
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs
                                        1⤵
                                          PID:2936

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/2652-4-0x000007FEF626E000-0x000007FEF626F000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2652-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                          Filesize

                                          2.9MB

                                          Download

                                        • memory/2652-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2652-7-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

                                          Filesize

                                          9.6MB

                                          Download

                                        • memory/2652-8-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

                                          Filesize

                                          9.6MB

                                          Download

                                        • memory/2652-10-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

                                          Filesize

                                          9.6MB

                                          Download

                                        • memory/2652-9-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

                                          Filesize

                                          9.6MB

                                          Download

                                        • memory/2652-11-0x000007FEF5FB0000-0x000007FEF694D000-memory.dmp

                                          Filesize

                                          9.6MB

                                          Download