Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

rJustifica...go.exe

windows7-x64

8

rJustifica...go.exe

windows10-2004-x64

10

Variabelfo...en.ps1

windows7-x64

3

Variabelfo...en.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rJustificantedepago.exe

  • Size

    738KB

  • MD5

    884358a9e9da158f576b7b7e42521d70

  • SHA1

    a9d488b27fc2d65df89c1049c9cdf380e37e435f

  • SHA256

    7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd

  • SHA512

    630c905e255424dc8e54a8b945aaa5673e6ff25fe4e2f9713b73a3f5a622ff8f5d33bfc06ccecd85e5017bac27e31007c878acba32af509000a6c51fdaea0216

  • SSDEEP

    12288:javPpBdFOdWbKSYQNGHkROyGOs61IYZVAecgs9FMa1Mdq8jJN:javzLDK+NjDGMIYO7MoON

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rJustificantedepago.exe
    "C:\Users\Admin\AppData\Local\Temp\rJustificantedepago.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0f7f9f7531f0a552cd17c7487f250d67

    SHA1

    1038a31b2d2febd5f5d00446d3801348c979d86a

    SHA256

    9b792e83ae1bc5bbba8f6830122ddd289de4725205231bc7639286f6622083f0

    SHA512

    6a5f90dad4daea1b322096d2d987c5e1db5b887bbd52691dda73989e4708993d11a84dc4df7171567db51bb8e9593ad9392101cb453c2268af8895de43c8e160

    Download Submit