Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

69487c2f91...27.ps1

windows7-x64

10

69487c2f91...27.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 03:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527.ps1

  • Size

    590KB

  • MD5

    e0411fcbbff0e20922d224c3ac8c811e

  • SHA1

    1083bc3407717b9953ffe27ec8ef3f0a520fbc82

  • SHA256

    69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527

  • SHA512

    0555dbe49cc4ac2e432b85e847ac48113d74651f8c238329645b1bb07968d3418e92122b7750a3902793824a932647fe5c27c1c3e841a010a354d789c358eba3

  • SSDEEP

    1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJt:cA

Score
10/10
lockbitdiscoveryexecutionransomware

Malware Config

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\Admin\AppData\Local\Temp\69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527.ps1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 2908
        3⤵
        • Program crash
        PID:4032
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 432 -ip 432
    1⤵
      PID:2936

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.134.221.88.in-addr.arpa
      IN PTR
      Response
      41.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      41.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      41.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d5198d7e3f350aca580d4160e3cb0493

      SHA1

      67d8eb10aeeb2c5075a9823a5b9f6dfab84a237d

      SHA256

      f26fac220a2f7479a976f51e6370bc525a7ae40b7e129cebfdeae42214669f70

      SHA512

      755d2eca2a90ea0c05beeea95f3c47f54ccce11b77c2a2af886e0b86480600d4100d24c2cbbc8ba3491f5c6e175794609c85e3a0f72f44adf9f35df7930363f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jrj5fua.tla.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/432-37-0x0000000005D60000-0x0000000005DAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/432-38-0x0000000007490000-0x0000000007B0A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/432-68-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/432-63-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/432-62-0x00000000072F0000-0x00000000072F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/432-17-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/432-18-0x0000000002700000-0x0000000002736000-memory.dmp

      Filesize

      216KB

      Download

    • memory/432-19-0x0000000004F80000-0x00000000055A8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/432-20-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/432-21-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/432-22-0x0000000004E30000-0x0000000004E52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/432-23-0x0000000004ED0000-0x0000000004F36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/432-24-0x00000000055B0000-0x0000000005616000-memory.dmp

      Filesize

      408KB

      Download

    • memory/432-30-0x0000000005620000-0x0000000005974000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/432-61-0x00000000073A0000-0x00000000073BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/432-36-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/432-60-0x00000000072B0000-0x00000000072C4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/432-59-0x00000000072A0000-0x00000000072AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/432-39-0x0000000006260000-0x000000000627A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/432-40-0x0000000006D90000-0x0000000006DC2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/432-41-0x0000000070A70000-0x0000000070ABC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/432-43-0x0000000071840000-0x0000000071B94000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/432-42-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/432-54-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/432-53-0x0000000006D70000-0x0000000006D8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/432-55-0x0000000007010000-0x00000000070B3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/432-56-0x0000000007110000-0x000000000711A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/432-57-0x0000000007300000-0x0000000007396000-memory.dmp

      Filesize

      600KB

      Download

    • memory/432-58-0x0000000007270000-0x0000000007281000-memory.dmp

      Filesize

      68KB

      Download

    • memory/540-0-0x00007FFAD9D83000-0x00007FFAD9D85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/540-11-0x00007FFAD9D80000-0x00007FFADA841000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/540-1-0x0000024FC2050000-0x0000024FC2072000-memory.dmp

      Filesize

      136KB

      Download

    • memory/540-16-0x00007FFAD9D80000-0x00007FFADA841000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/540-13-0x00007FFAD9D80000-0x00007FFADA841000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/540-12-0x00007FFAD9D80000-0x00007FFADA841000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.