Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 13:24
Static task
static1
Behavioral task
behavioral1
Sample
14.ps1
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
14.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
dollar1.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
dollar1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ksdfgxc.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
ksdfgxc.ps1
Resource
win10v2004-20241007-en
General
-
Target
dollar1.ps1
-
Size
510KB
-
MD5
c42d82bfd897477aad6221016be9d6fa
-
SHA1
af3505c7bda32a32cff69f3afc4c676856d377cc
-
SHA256
1308763f21e50778f78dd3fd05b61367341cb52c7ca1b411a0d18610b20c9ede
-
SHA512
f1262f4c95aa5a853ce1f4d1d069c76d6f438c9ba2839cf093472531002c7886a619252be1769d5ebd725e35224e3c2f50bc8ade603ba98216b7ca508894083e
-
SSDEEP
6144:BHJz/Da4narEcyu0c2slSDp6SGxQ9KH+d2QSQ9OSk/RZSht5C5q+Zbe6gy/3be+c:BHhan0cx2ho4
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 1196 Powershell.exe 34 -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
pid Process 824 powershell.exe 2808 powershell.exe 2360 Powershell.exe 1728 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 824 powershell.exe 2808 powershell.exe 2360 Powershell.exe 1728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2360 Powershell.exe Token: SeDebugPrivilege 1728 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 824 wrote to memory of 2808 824 powershell.exe 32 PID 824 wrote to memory of 2808 824 powershell.exe 32 PID 824 wrote to memory of 2808 824 powershell.exe 32 PID 2808 wrote to memory of 2628 2808 powershell.exe 33 PID 2808 wrote to memory of 2628 2808 powershell.exe 33 PID 2808 wrote to memory of 2628 2808 powershell.exe 33 PID 2360 wrote to memory of 1348 2360 Powershell.exe 37 PID 2360 wrote to memory of 1348 2360 Powershell.exe 37 PID 2360 wrote to memory of 1348 2360 Powershell.exe 37 PID 1348 wrote to memory of 1728 1348 cmd.exe 38 PID 1348 wrote to memory of 1728 1348 cmd.exe 38 PID 1348 wrote to memory of 1728 1348 cmd.exe 38
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dollar1.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.vbs"3⤵PID:2628
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\IHPWKPEVZAFOKFTDEAQASA.ps1'"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127B
MD5267f90e0cee8f697121c7d2fb4adac39
SHA11a981c00e56ac26056f82265b121b8b79b518e94
SHA256bfb6e3e481da85711794dffffeb8e8d73b34654c79d5eb979d0efa5759f72b7a
SHA512106b386734ed981bf97fcd2fa1d69b455a3aca8e8916624db38b46ebc000b87d4c45db53d35d7c6797232e92cf9c115a441286bc8f408aafe293beba18800661
-
Filesize
457B
MD5519c80883e516f37113d65dd84a57b10
SHA150ba890d7389a025cbfce10f4a48f9f43fbf0f91
SHA256afc98de9a030e5b9514854f86192cefef755f763f67018e98763e06c920dac20
SHA5128caebf146421fbe1180384df8a5ff9162aee9c53672b219d5a87804aab8c9713eea7fca2b9b6b139346d0e21b459b89b274aab256d69550d9b858270616f49fc
-
Filesize
3KB
MD53cfc71a284fb40178c610cbd49c5129d
SHA1009788dfe6bc036b6b5bae079bdcbbdd1f12392f
SHA2565138b8936ea8ce93eb71ad432c42d8699e50b45e3c8003229dff3e35e1dd350e
SHA512f3cf1cf63ba7d885f936bd357be98a076dbd3f5b13f830e3b227c37619847333c541287ca9194ff64bdbe5f64106d4fb55fc68a7e1ce4bf48bc33ff0c22cea4e
-
Filesize
501KB
MD562e4f84a9a51323b88c640342769d9af
SHA145c0d492749726d2795d61f4ba695acf9e2d5a52
SHA2564a95dfbc8f5c0d0bfd89196601aac0022cf40660133482644b3a3cecb58c8c8c
SHA5120d8009daa875de4be4fddbf2cd79813572db6b72d5333bdc0173e1597871fce1f5a695ec3d094d7db4c682072f526677131fdf8205e6a969bb2662fafd03de9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1K2P21QSZBQG4I151OUJ.temp
Filesize7KB
MD517244126ac8dde57d3026e05d70c6c30
SHA12dbc8193f5da192836b4ec7c56f4daeb2a8d3507
SHA25621dca91ca1a57422c32ed383173fc846973c2cf857c0198d3c00c0ccea53023a
SHA5127bfd4b5c56a4c3b34e4a77217120810114e040bf7c08d28e36ac30e78d34795623bf73c60a5ce513fac7c3e621093ea78042d9f7c1c7905b3ce4a26ad884e6f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD516314dee5b16608056c49326e5d68fc9
SHA13418c9b33b2c54d7b69a843ce4f39a86ab04c497
SHA2568636819c3fcbc24db55c49d7f30ed48ec79ea3f3069a93818f009c45cf4a0273
SHA512b77100d9aecc74d7e21d6e0e090f13934118242e312da823d4b23204af497b56d59e0541f336f2516ad7d7f1673ef80fc879f28bde99d1461441e6f130f2c094