Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230220-es -
resource tags
arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
21/03/2023, 17:58
Static task
static1
Behavioral task
behavioral1
Sample
sfk.cmd
Resource
win10-20230220-es
Behavioral task
behavioral2
Sample
sfk.cmd
Resource
win10v2004-20230220-es
General
-
Target
sfk.cmd
-
Size
3KB
-
MD5
c8a9a54268e70aeb7fe228ae95b2ecdc
-
SHA1
ca51405c2298d2d1a3e448002d368887ebc67b2a
-
SHA256
03756119185c012ae7a36f165a5f0236dbadca1a0314ba3fbeab826565dbd848
-
SHA512
18d5253f5ee486eddbcc1dffcf169aa25be35c04cb60993aaac7ae18a9fb14032d3bf4121d971703bb620ab138db63e21c8102cc37b6872756deb2901308b5a7
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4900 powershell.exe 4900 powershell.exe 4900 powershell.exe 4100 powershell.exe 4100 powershell.exe 4100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4900 powershell.exe Token: SeIncreaseQuotaPrivilege 4900 powershell.exe Token: SeSecurityPrivilege 4900 powershell.exe Token: SeTakeOwnershipPrivilege 4900 powershell.exe Token: SeLoadDriverPrivilege 4900 powershell.exe Token: SeSystemProfilePrivilege 4900 powershell.exe Token: SeSystemtimePrivilege 4900 powershell.exe Token: SeProfSingleProcessPrivilege 4900 powershell.exe Token: SeIncBasePriorityPrivilege 4900 powershell.exe Token: SeCreatePagefilePrivilege 4900 powershell.exe Token: SeBackupPrivilege 4900 powershell.exe Token: SeRestorePrivilege 4900 powershell.exe Token: SeShutdownPrivilege 4900 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeSystemEnvironmentPrivilege 4900 powershell.exe Token: SeRemoteShutdownPrivilege 4900 powershell.exe Token: SeUndockPrivilege 4900 powershell.exe Token: SeManageVolumePrivilege 4900 powershell.exe Token: 33 4900 powershell.exe Token: 34 4900 powershell.exe Token: 35 4900 powershell.exe Token: 36 4900 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeIncreaseQuotaPrivilege 4100 powershell.exe Token: SeSecurityPrivilege 4100 powershell.exe Token: SeTakeOwnershipPrivilege 4100 powershell.exe Token: SeLoadDriverPrivilege 4100 powershell.exe Token: SeSystemProfilePrivilege 4100 powershell.exe Token: SeSystemtimePrivilege 4100 powershell.exe Token: SeProfSingleProcessPrivilege 4100 powershell.exe Token: SeIncBasePriorityPrivilege 4100 powershell.exe Token: SeCreatePagefilePrivilege 4100 powershell.exe Token: SeBackupPrivilege 4100 powershell.exe Token: SeRestorePrivilege 4100 powershell.exe Token: SeShutdownPrivilege 4100 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeSystemEnvironmentPrivilege 4100 powershell.exe Token: SeRemoteShutdownPrivilege 4100 powershell.exe Token: SeUndockPrivilege 4100 powershell.exe Token: SeManageVolumePrivilege 4100 powershell.exe Token: 33 4100 powershell.exe Token: 34 4100 powershell.exe Token: 35 4100 powershell.exe Token: 36 4100 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1436 wrote to memory of 1792 1436 cmd.exe 67 PID 1436 wrote to memory of 1792 1436 cmd.exe 67 PID 1436 wrote to memory of 4900 1436 cmd.exe 68 PID 1436 wrote to memory of 4900 1436 cmd.exe 68 PID 1436 wrote to memory of 4100 1436 cmd.exe 70 PID 1436 wrote to memory of 4100 1436 cmd.exe 70
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sfk.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\reg.exereg query "HKU\S-1-5-19\Environment"2⤵PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe add-mpPreference -exclusionPath "'C:\Users\Admin\AppData\Local\Temp\23591658422471'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Remove-MpPreference -exclusionPath "C:\Users\Admin\AppData\Local\Temp\23591658422471"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4464
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD516e530656c58fa203f56288f78af3421
SHA1c03d9290f672930e0b17dca3ab746a9b89a00630
SHA2562b2b8dfaa8e252e7ee7cbcc6155a97fbc2d19619d137a49f67465d0312d95360
SHA5129967d15a1623a91bd539233670c1854137077f0574c8dc6bb86393aa6f4528b6d75bd1c9d3ce133ba6a49fca4f6d0d0df7b9a622031e6e832d0edf482c669e1b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a