Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/05/2022, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
SALIKHACK/SALIKHACK.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SALIKHACK/SALIKHACK.bat
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
SALIKHACK/SALIKHACK.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
SALIKHACK/SALIKHACK.exe
Resource
win10v2004-20220414-en
General
-
Target
SALIKHACK/SALIKHACK.bat
-
Size
238B
-
MD5
21a67af3a0e70534daf91c971545bc80
-
SHA1
23141575d04651a2cd778a33732805c468033ef0
-
SHA256
940dd6c2693be78a671cad250f75a5b5324b3350e2b2fc1cfc098293b934fdb3
-
SHA512
b79f1dd26beee4a6995b0d67f112e4dff152d05822e8482579b6bdbd414b06cfbdeb6f55f4cb41d1821e6e7b98bfa3852e1d163355b3de5cd985373f8a333e66
Malware Config
Signatures
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2588 1648 cmd.exe 78 PID 1648 wrote to memory of 2588 1648 cmd.exe 78 PID 1648 wrote to memory of 3028 1648 cmd.exe 79 PID 1648 wrote to memory of 3028 1648 cmd.exe 79 PID 1648 wrote to memory of 3296 1648 cmd.exe 80 PID 1648 wrote to memory of 3296 1648 cmd.exe 80 PID 3296 wrote to memory of 2544 3296 net.exe 81 PID 3296 wrote to memory of 2544 3296 net.exe 81 PID 1648 wrote to memory of 4392 1648 cmd.exe 82 PID 1648 wrote to memory of 4392 1648 cmd.exe 82 PID 4392 wrote to memory of 4024 4392 net.exe 83 PID 4392 wrote to memory of 4024 4392 net.exe 83
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SALIKHACK\SALIKHACK.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v Composition /t reg_dword /d 00000001 /f2⤵PID:2588
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v CompositionPolicy /t reg_dword /d 00000002 /f2⤵PID:3028
-
-
C:\Windows\system32\net.exenet stop uxsms2⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop uxsms3⤵PID:2544
-
-
-
C:\Windows\system32\net.exenet start uxsms2⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start uxsms3⤵PID:4024
-
-