Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2025, 19:13

General

  • Target

    KeyLoogerinst.ps1

  • Size

    1KB

  • MD5

    41f22eb766372b2df43ee0404c380a8b

  • SHA1

    9198c7b6762cda3c4a2ec69ba9aa9d8633ee5d42

  • SHA256

    c21c305b162d9468ab329b9323cbeb711d6a5da1af613e4a1ebc5eae23fb18f0

  • SHA512

    6b6d155a4739b213295d3ca5cda3cd61c4f4bb4e4221dddf382fccf6ef960648d2450b9f013daf7e1daf6e4676a0cc6647489a206051a7809e829fbdfe3d2caf

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\KeyLoogerinst.ps1
    1⤵
    • Blocklisted process makes network request
    • Downloads MZ/PE file
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Admin\AppData\Local\Temp\python-installer.exe
      "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" /quiet InstallAllUsers=1 PrependPath=1
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe
        "C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=540 -burn.filehandle.self=700 /quiet InstallAllUsers=1 PrependPath=1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.be\python-3.13.1-amd64.exe
          "C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.be\python-3.13.1-amd64.exe" -q -burn.elevated BurnPipe.{32263317-17FF-4FB5-ACDF-1D8FDEC66F66} {BF142620-457F-414D-8F4C-2C75F87EB5E6} 1788
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3820
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4616
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_afjk3wa0.yk4.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\python-installer.exe

    Filesize

    27.4MB

    MD5

    90176c0cfa29327ab08c6083dcdcc210

    SHA1

    cc0bcf37414be313526d63ef708fc85da3b693b1

    SHA256

    6b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f

    SHA512

    5940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92

  • C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe

    Filesize

    878KB

    MD5

    9bc2cfce73fe043e69c909fb1546dbbf

    SHA1

    8ee81917775b4bd60ea0592b2203d2219dc98cfa

    SHA256

    ba89d23a7c937c05feba316a927773faaf7becfb2279d9edac6cc11e31205e29

    SHA512

    4243b3923b998b21ed386750b179bf29bda164d6154e2f5cd744b361963c4e1025ed3d6d557f1cad672818a909cc8a5036cf14ccf4f5bdd1284db24156ad58e7

  • C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.ba\PythonBA.dll

    Filesize

    692KB

    MD5

    e8cd5641cae8ae7e9f98b8a3b7096808

    SHA1

    dd587894cad3122c1719def17f8377bb2bbbc05e

    SHA256

    898474ad4074571813416e58667a3b8a233e12e656579726c178ec71f794b268

    SHA512

    53034732df45527389362c2cc53d3ba0390bc4c1a7700b7d61d774d1eecdfed43381311c63b38861215813a674eb3fe865821cb352606522987fb2cfed2856e1

  • C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.ba\SideBar.png

    Filesize

    50KB

    MD5

    888eb713a0095756252058c9727e088a

    SHA1

    c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

    SHA256

    79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

    SHA512

    7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

  • memory/4416-11-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

    Filesize

    10.8MB

  • memory/4416-14-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

    Filesize

    10.8MB

  • memory/4416-15-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

    Filesize

    10.8MB

  • memory/4416-13-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

    Filesize

    8KB

  • memory/4416-12-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

    Filesize

    10.8MB

  • memory/4416-0-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

    Filesize

    8KB

  • memory/4416-6-0x000002CC87500000-0x000002CC87522000-memory.dmp

    Filesize

    136KB

  • memory/4416-106-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

    Filesize

    10.8MB