Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
KeyLoogerinst.ps1
Resource
win7-20240903-en
General
-
Target
KeyLoogerinst.ps1
-
Size
1KB
-
MD5
41f22eb766372b2df43ee0404c380a8b
-
SHA1
9198c7b6762cda3c4a2ec69ba9aa9d8633ee5d42
-
SHA256
c21c305b162d9468ab329b9323cbeb711d6a5da1af613e4a1ebc5eae23fb18f0
-
SHA512
6b6d155a4739b213295d3ca5cda3cd61c4f4bb4e4221dddf382fccf6ef960648d2450b9f013daf7e1daf6e4676a0cc6647489a206051a7809e829fbdfe3d2caf
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 6 4416 powershell.exe 45 4416 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 6 4416 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation python-installer.exe -
Executes dropped EXE 3 IoCs
pid Process 4572 python-installer.exe 1788 python-installer.exe 3820 python-3.13.1-amd64.exe -
Loads dropped DLL 1 IoCs
pid Process 1788 python-installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 44 drive.google.com 45 drive.google.com -
pid Process 4416 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-3.13.1-amd64.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4416 powershell.exe 4416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4416 powershell.exe Token: SeBackupPrivilege 4616 vssvc.exe Token: SeRestorePrivilege 4616 vssvc.exe Token: SeAuditPrivilege 4616 vssvc.exe Token: SeBackupPrivilege 220 srtasks.exe Token: SeRestorePrivilege 220 srtasks.exe Token: SeSecurityPrivilege 220 srtasks.exe Token: SeTakeOwnershipPrivilege 220 srtasks.exe Token: SeBackupPrivilege 220 srtasks.exe Token: SeRestorePrivilege 220 srtasks.exe Token: SeSecurityPrivilege 220 srtasks.exe Token: SeTakeOwnershipPrivilege 220 srtasks.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4416 wrote to memory of 4572 4416 powershell.exe 92 PID 4416 wrote to memory of 4572 4416 powershell.exe 92 PID 4416 wrote to memory of 4572 4416 powershell.exe 92 PID 4572 wrote to memory of 1788 4572 python-installer.exe 93 PID 4572 wrote to memory of 1788 4572 python-installer.exe 93 PID 4572 wrote to memory of 1788 4572 python-installer.exe 93 PID 1788 wrote to memory of 3820 1788 python-installer.exe 94 PID 1788 wrote to memory of 3820 1788 python-installer.exe 94 PID 1788 wrote to memory of 3820 1788 python-installer.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\KeyLoogerinst.ps11⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\python-installer.exe"C:\Users\Admin\AppData\Local\Temp\python-installer.exe" /quiet InstallAllUsers=1 PrependPath=12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe"C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=540 -burn.filehandle.self=700 /quiet InstallAllUsers=1 PrependPath=13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.be\python-3.13.1-amd64.exe"C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.be\python-3.13.1-amd64.exe" -q -burn.elevated BurnPipe.{32263317-17FF-4FB5-ACDF-1D8FDEC66F66} {BF142620-457F-414D-8F4C-2C75F87EB5E6} 17884⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3820
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
27.4MB
MD590176c0cfa29327ab08c6083dcdcc210
SHA1cc0bcf37414be313526d63ef708fc85da3b693b1
SHA2566b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f
SHA5125940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92
-
Filesize
878KB
MD59bc2cfce73fe043e69c909fb1546dbbf
SHA18ee81917775b4bd60ea0592b2203d2219dc98cfa
SHA256ba89d23a7c937c05feba316a927773faaf7becfb2279d9edac6cc11e31205e29
SHA5124243b3923b998b21ed386750b179bf29bda164d6154e2f5cd744b361963c4e1025ed3d6d557f1cad672818a909cc8a5036cf14ccf4f5bdd1284db24156ad58e7
-
Filesize
692KB
MD5e8cd5641cae8ae7e9f98b8a3b7096808
SHA1dd587894cad3122c1719def17f8377bb2bbbc05e
SHA256898474ad4074571813416e58667a3b8a233e12e656579726c178ec71f794b268
SHA51253034732df45527389362c2cc53d3ba0390bc4c1a7700b7d61d774d1eecdfed43381311c63b38861215813a674eb3fe865821cb352606522987fb2cfed2856e1
-
Filesize
50KB
MD5888eb713a0095756252058c9727e088a
SHA1c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA25679434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA5127c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0