Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

Devolucion...81.zip

windows7-x64

1

Devolucion...81.zip

windows10-2004-x64

1

-.exe

windows7-x64

8

-.exe

windows10-2004-x64

7

Devolucion...BS.cmd

windows7-x64

8

Devolucion...BS.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2024, 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DevolucionImpuestopiendenteTGR_b1Gz5R2UBS.cmd

  • Size

    3KB

  • MD5

    437232fabe2b83b0d67647378088bc64

  • SHA1

    7fd0ce07fe455f483d9714322f08e9f9c860aa4f

  • SHA256

    1e74435045984691a9d8bce58101b8e3509c1031142b8aedd8f81d1c67eedbd2

  • SHA512

    d975f69eca32d23781408118c66a3b8bd2a6c4006eca6ea78a7ef37f7d6cb7a88422e446ebf58e650f7e84ab7fbbcd299c7cc8ba3fb68d5a0daefeb141912f3d

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DevolucionImpuestopiendenteTGR_b1Gz5R2UBS.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo %UGv0IQM7FHm6d8Ok36% "
      2⤵
        PID:5012
      • C:\Windows\system32\cmd.exe
        cmd.exe /c powershell.exe -exec bypass -nop -win 1 -
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -exec bypass -nop -win 1 -
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:212

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bclxb4hv.rqc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/212-0-0x00007FF830C63000-0x00007FF830C65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/212-1-0x000001E6A8A00000-0x000001E6A8A22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/212-11-0x00007FF830C60000-0x00007FF831721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/212-12-0x00007FF830C60000-0x00007FF831721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/212-13-0x000001E6C0BC0000-0x000001E6C0C04000-memory.dmp

      Filesize

      272KB

      Download

    • memory/212-14-0x000001E6C1A20000-0x000001E6C1A96000-memory.dmp

      Filesize

      472KB

      Download

    • memory/212-16-0x00007FF830C60000-0x00007FF831721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/212-17-0x00007FF830C60000-0x00007FF831721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/212-20-0x00007FF830C60000-0x00007FF831721000-memory.dmp

      Filesize

      10.8MB

      Download