Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 01:25
Static task
static1
Behavioral task
behavioral1
Sample
6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064.ps1
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064.ps1
Resource
win10v2004-20240802-en
General
-
Target
6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064.ps1
-
Size
1KB
-
MD5
5a206fa97e0bb7f18d83016cfd58aa82
-
SHA1
ca74c816f8867a44a04cbfee6d929b901ca07dd6
-
SHA256
6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064
-
SHA512
01d027a8d1dad2da3fa833b0fe7ba223c3ab8d5cfb1e0d882b644f1879e62af8c27d9ff4ab6e5328eb9198cedd7e3bfef606b97aeee4334f35420e5a675a649d
Malware Config
Signatures
-
pid Process 996 powershell.exe 2840 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 996 powershell.exe 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 996 wrote to memory of 2840 996 powershell.exe 32 PID 996 wrote to memory of 2840 996 powershell.exe 32 PID 996 wrote to memory of 2840 996 powershell.exe 32 PID 996 wrote to memory of 2560 996 powershell.exe 35 PID 996 wrote to memory of 2560 996 powershell.exe 35 PID 996 wrote to memory of 2560 996 powershell.exe 35
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6966e43ce060fb6ebbcc8d3b40bce306fb516900776d51cf1e3dea5fe9080064.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "996" "1324"2⤵PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52b71608faa5fe62a331fb9fb4fa4b965
SHA1038b13a7941475d21d273b18d41ad8f57673da33
SHA2564c3e380f198afbc1ca16946d4dfe73906e6ff25f89d72608a06d49dd73aab4e3
SHA512db65055b3c75bd8a136b7b6599fcdf06de32c1c1cac793b1a8f8285fd3bb205c8602b19bdeb3e652ca4f20db2b4a413424ba005c3e8c421eeef1f44b9132bc18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD562276295bfe35363b16af4064ff55175
SHA14fd94e23387c13809a02894cfbcc6d9919017e2b
SHA25638b58e66d1f99a22c9c6a57e1ac682662d1a13880a5f36d770ca5de9c529ff79
SHA5121817d951f316c63e44fd258551ec91d3deec2098a414eb04e9f09a74e8aaa4a7e1625e7e56072fae6cc79cccdcc0b5f39ed4c368fbdc3ff9c70665a70a8b2c64