Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 05:58
Static task
static1
Behavioral task
behavioral1
Sample
x.ps1
Resource
win7-20240729-en
General
-
Target
x.ps1
-
Size
757KB
-
MD5
e9bf208781b60d91292c6177677e27f8
-
SHA1
364f17ba1b85e4c903157cb8a897f35fa48e73b7
-
SHA256
66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
-
SHA512
3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
-
SSDEEP
12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH
Malware Config
Signatures
-
Quasar family
-
Loads dropped DLL 1 IoCs
pid Process 3588 powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3588 set thread context of 1824 3588 powershell.exe 87 -
pid Process 3588 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3588 powershell.exe 3588 powershell.exe 3588 powershell.exe 3588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 1824 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3836 3588 powershell.exe 84 PID 3588 wrote to memory of 3836 3588 powershell.exe 84 PID 3836 wrote to memory of 1668 3836 csc.exe 85 PID 3836 wrote to memory of 1668 3836 csc.exe 85 PID 3588 wrote to memory of 1108 3588 powershell.exe 86 PID 3588 wrote to memory of 1108 3588 powershell.exe 86 PID 3588 wrote to memory of 1108 3588 powershell.exe 86 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87 PID 3588 wrote to memory of 1824 3588 powershell.exe 87
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\x.ps11⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pljgfr20\pljgfr20.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DAC.tmp" "c:\Users\Admin\AppData\Local\Temp\pljgfr20\CSCDFC59BBB771B44D6BEC0FD6F4CAE7A46.TMP"3⤵PID:1668
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵PID:1108
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51547d5246aacda37ac02499e02a6c0af
SHA1e1d5ebf1a909a65ac17c188b107446a96cb59e21
SHA2567a9f15a36dfc7f70ce602f6c416e633fa6741d268045d67c376497c7a39d129d
SHA51240018d4347559077fef92891fffe28673fbeded586324e5740dd9532a209b929b0bc068e845763c20b365520e24fc9611586cd519f7612ce0fd1f3dacd6b0eaa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD51de2fe9204912c8eccff861a217711cc
SHA1923bb3ee77d767659226895062eb823fa193f1b6
SHA256cdcd16cd3158f345b57f8689faa78cd11324d2e28a84b0ea46737802ca2ade7a
SHA5120fd8e888be01af83a912c670d40763e622329b56c2ee8f0ea33e684e764c8c4d7b7370c637cd3f01bd60c0506df0093748ed2a37faf44a7f2535b9f3e06e97c5
-
Filesize
12KB
MD5e6b7078b6b145749c223b63690cf7822
SHA1562145c8fdef211277dcfe2170cad2ba862dfdca
SHA2567c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620
SHA5120a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b
-
Filesize
652B
MD5e9e572b8eacd318fbf022b2291d230a9
SHA1dc8eccfee6e6f0bb3142d2ed45010b35df018ba8
SHA2561ff6cef92fcc1367fe48f2d001479de000ea8a24036c2eae91cd53c94ed16f68
SHA5126d25ee8c6edfed84fb819029f803abfa0ecbc13cc889a4f28e6079ffc91d478a44194fcc89920c6c3355eba574a047d71bec8ed0b81ed8da7a5d297c6af28963
-
Filesize
241B
MD5f26363a9e7c5371cc5f35b0eff60c1ba
SHA1e896269d30c7044d4c98d7d04e22cb5f065a7834
SHA256fa548d7ec20ebce463ff43a223d0df6f9648124ee0b648f52e8bfb44d16bb140
SHA512de54c28d7c5bb60bb099ef1bc6089bfee9463e2ad70824089d88f48be98bb103c3680aff13ab736a891c4ef1b027fd6051ca9fdad9b19ebd31634b06f67fc0a4
-
Filesize
369B
MD5c5e829df1305737051e041840856f75d
SHA162d4f788aaadd3cd2509d5e5d63308a1d5895a7f
SHA2568e0c4100bea65df7d9f2ce5883ece99bc7955f47390cc7c9016624aa3ee3eb64
SHA512b1fb6eeda9ea3e1c13874b4c0b86bfbe8a51c9d5f4ca74bab77acc46d565a3a815c8b40d03ecac2430619933c94aa6fa61fddf146574d7442f8d78574a0b1b1c