Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    414s
  • max time network
    1142s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/09/2024, 18:38

General

  • Target

    resources/extras/clink/clink.bat

  • Size

    1KB

  • MD5

    92f56a4f5897f221b6eee82cd60c5eff

  • SHA1

    c9c89a5904b621befd4b16e9741af5010e52c322

  • SHA256

    acc35e35933c5388616a37750a77308dc9ea04118b9f3b9dbeeb88e795183d8f

  • SHA512

    7c3586332602ad3834b3727aab033c622546ce2a3392160d9b430182a8e467bc7185e13e695fea3a1c385ee5d06394426cdc2bad63b5319b18f1479009f55444

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\clink.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\system32\cmd.exe
      cmd.exe /s /k ""C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\clink.bat" inject "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\clink_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\resources\extras\clink\\clink_x64.exe" inject
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2>&1 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-Host | Select-Object Version"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-Host | Select-Object Version"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3332
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2>&1 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest -Headers @{\"cache-control\"=\"no-cache\"} -UseBasicParsing https://api.github.com/repos/chrisant996/clink/releases/latest | Select-Object -ExpandProperty Content"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest -Headers @{\"cache-control\"=\"no-cache\"} -UseBasicParsing https://api.github.com/repos/chrisant996/clink/releases/latest | Select-Object -ExpandProperty Content"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2>&1 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest 'https://github.com/chrisant996/clink/releases/download/v1.6.21/clink.1.6.21.f97375.zip' -OutFile 'C:\Users\Admin\AppData\Local\Temp\clink\updater\v1.6.21.zip'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ProgressPreference='SilentlyContinue' ; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ; Invoke-WebRequest 'https://github.com/chrisant996/clink/releases/download/v1.6.21/clink.1.6.21.f97375.zip' -OutFile 'C:\Users\Admin\AppData\Local\Temp\clink\updater\v1.6.21.zip'"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    5f4c933102a824f41e258078e34165a7

    SHA1

    d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

    SHA256

    d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

    SHA512

    a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    dd3474e6a72c08266c25f196f78b13fd

    SHA1

    b70c6bbd7794b49b6b9afa6343987a7f553d1268

    SHA256

    82acd1c6613bb2c907a26be1f61f6556ee03cabf1aa73dad27d012be88e05318

    SHA512

    cf5138ab09f19034fa5d058819956fd0556c56d674268e496dbaded228839d2be576bd74cda26127adf03cce9a8ab485ce6a07c7332a2c65a77ca9b56d92c79d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    d857ee2f6639a42a68ebfff90f404a00

    SHA1

    0325eb9c9ced9cd258d57e1d09eee72adff69129

    SHA256

    ebcae1dae5289bfa4678ef3d9c558f530354dc87091843a5bf8873cfc8e6c7ee

    SHA512

    2716c99710ba6963e16c8b862207f203ca3b5197d4bf51a3faf00a3dd48b2f8ac499fb99b4e018ff66c9ec8d7fa0805cb72d4b4fa6cef59f9368e9744601a38b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gpy4eb23.jdq.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\clink\dll_cache\1.4.6.8b1dec_5d891859\clink_dll_x64.dll

    Filesize

    1.8MB

    MD5

    4ffaa31f19440b338e62ac46e5810bc3

    SHA1

    c4491fff894f40c65ed04cd7c9c43635ef0f44a3

    SHA256

    fdef73d692e2e181075bf43a05cd7ebe551f6b1be31f4d471ff709f83a549612

    SHA512

    f917d8a90e86f9542e56e8c80cda7362bb3fefdbbb7a094f5a518b35a74bb1394f5e7dfbc8a928a8de7a0bc7b40d4d5e9ce7192d1207dc287c18305e8b2c7aae

  • C:\Users\Admin\AppData\Local\Temp\clink\dll_cache\1.4.6.8b1dec_5d891859\clink_dll_x64.dll.origin

    Filesize

    74B

    MD5

    6fbfaa5b87464c61c6bbc93caf1b880c

    SHA1

    681a6b7ecd31f4aaeb62a02d05b80fcafba617c5

    SHA256

    dcaf04b661dac6559953a2a62b3c17c46ab95136a259dab782c9237c52e74513

    SHA512

    a6e07d3758d76f92a49d2b4c9f04a94dacd57f052169f7f907ff937997937a0972d58d005a667bc0bdb9e0a163e8cafb67772d6b8e247349153de7e1ac448a4b

  • C:\Users\Admin\AppData\Local\clink\clink.log

    Filesize

    1KB

    MD5

    1ee6eadb98288ed8f4c0523d0cb91d8e

    SHA1

    2089826e009345b82fe6090d386babc080161f6a

    SHA256

    c6f161772224e23e32173e2775adf725e04b03370c9e48c1222c8901f12fdc00

    SHA512

    6592fbc66d44c07308f5671536276a4e3f1ffb02a44d4d0cccdffcc48086bcd7405721297d19466fcb0bc3d78477402ed32554edd7dfc9bbdaef9394382acd32

  • C:\Users\Admin\AppData\Local\clink\clink.log

    Filesize

    3KB

    MD5

    b492373087082bfc6b39bdd522c4315d

    SHA1

    b580bc7ed2c1863d2d6968947c6a3443260c000e

    SHA256

    b53abdd9b9328676a39626b2e18f8f679e87374bd7a3bc4345d2fd323a8e2087

    SHA512

    defde0919210478ca38dc2be92144155776f0a50ae0a5e0a3db6537dbb9eb4c06d0272feab87191eee26b41a6626419bb218ea93fe8987c48fa1aecd5e19d13a

  • C:\Users\Admin\AppData\Local\clink\clink.log

    Filesize

    583B

    MD5

    3aa6d3522cb4fbd2993b5ea4c55ec65d

    SHA1

    dd9c5da280756698ea2c0a8b2735ff0f4a5e31b9

    SHA256

    7f7f7e9e0a4c1b0c36d0d9fb83e4eecb3e60337bd2807e580dbf3b7ed261d3f0

    SHA512

    5a203a17b34a79e6e438ffd529a1fe6158cd23d306e1c1cda11d27fb19470b1ab82b084ec31b5b170a682db0318225a08dfcb19cc4c4e860b6782918ab8d27c7

  • memory/3332-62-0x00007FFA01BA3000-0x00007FFA01BA5000-memory.dmp

    Filesize

    8KB

  • memory/3332-71-0x000001C23D6F0000-0x000001C23D712000-memory.dmp

    Filesize

    136KB

  • memory/3332-72-0x00007FFA01BA0000-0x00007FFA02662000-memory.dmp

    Filesize

    10.8MB

  • memory/3332-73-0x00007FFA01BA0000-0x00007FFA02662000-memory.dmp

    Filesize

    10.8MB

  • memory/3332-76-0x00007FFA01BA0000-0x00007FFA02662000-memory.dmp

    Filesize

    10.8MB

  • memory/3632-14-0x0000020D99120000-0x0000020D99121000-memory.dmp

    Filesize

    4KB

  • memory/3632-36-0x0000020D9A910000-0x0000020D9A911000-memory.dmp

    Filesize

    4KB

  • memory/3632-10-0x0000020D99120000-0x0000020D99121000-memory.dmp

    Filesize

    4KB

  • memory/3632-16-0x0000020D9A910000-0x0000020D9A911000-memory.dmp

    Filesize

    4KB