Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
02a70d502c907e478563fa6151993a57.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
02a70d502c907e478563fa6151993a57.exe
Resource
win10v2004-20231215-en
General
-
Target
02a70d502c907e478563fa6151993a57.exe
-
Size
3.9MB
-
MD5
02a70d502c907e478563fa6151993a57
-
SHA1
804f5680f9768efd315b795769b20133b6670b37
-
SHA256
11f54d505aa0acf95198296fd3017bbee5656ff374f96d4a34cec36c84312aab
-
SHA512
2ceb29ea9c6b0167606eea56d01510003197d97d340b0e6746e44ec5cced3572ecd2ae8b5074de4ae15c1a2fdca4d11eded7caeaf019c33f6354555b5902ca87
-
SSDEEP
98304:kVXOCAF7o0ydfx9FV8vQquj/UG0cFQlhG:MXOCA60HC/UG08N
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4416 02a70d502c907e478563fa6151993a57.tmp -
Enumerates processes with tasklist 1 TTPs 21 IoCs
pid Process 5080 tasklist.exe 5060 tasklist.exe 3380 tasklist.exe 1252 tasklist.exe 4068 tasklist.exe 2704 tasklist.exe 4872 tasklist.exe 2716 tasklist.exe 4784 tasklist.exe 3036 tasklist.exe 4520 tasklist.exe 4328 tasklist.exe 2612 tasklist.exe 1504 tasklist.exe 4792 tasklist.exe 2680 tasklist.exe 212 tasklist.exe 3856 tasklist.exe 3836 tasklist.exe 776 tasklist.exe 2784 tasklist.exe -
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
pid Process 1872 NETSTAT.EXE 380 NETSTAT.EXE 3536 NETSTAT.EXE 1944 NETSTAT.EXE 4388 NETSTAT.EXE -
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 77 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 55 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3536 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3536 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1044 wrote to memory of 4416 1044 02a70d502c907e478563fa6151993a57.exe 24 PID 1044 wrote to memory of 4416 1044 02a70d502c907e478563fa6151993a57.exe 24 PID 1044 wrote to memory of 4416 1044 02a70d502c907e478563fa6151993a57.exe 24 PID 4416 wrote to memory of 2728 4416 02a70d502c907e478563fa6151993a57.tmp 203 PID 4416 wrote to memory of 2728 4416 02a70d502c907e478563fa6151993a57.tmp 203 PID 4416 wrote to memory of 2728 4416 02a70d502c907e478563fa6151993a57.tmp 203 PID 2728 wrote to memory of 3536 2728 cmd.exe 188 PID 2728 wrote to memory of 3536 2728 cmd.exe 188 PID 2728 wrote to memory of 3536 2728 cmd.exe 188
Processes
-
C:\Users\Admin\AppData\Local\Temp\02a70d502c907e478563fa6151993a57.exe"C:\Users\Admin\AppData\Local\Temp\02a70d502c907e478563fa6151993a57.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\is-T2F1S.tmp\02a70d502c907e478563fa6151993a57.tmp"C:\Users\Admin\AppData\Local\Temp\is-T2F1S.tmp\02a70d502c907e478563fa6151993a57.tmp" /SL5="$1C01D2,3143344,56832,C:\Users\Admin\AppData\Local\Temp\02a70d502c907e478563fa6151993a57.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV4⤵PID:4068
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4396
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4020
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV4⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"3⤵PID:4020
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"4⤵PID:608
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5901 "4⤵PID:5104
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
PID:1944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV4⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV4⤵PID:4256
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-QJ399.tmp\gentlemjmp_ieu.exe"C:\Users\Admin\AppData\Local\Temp\is-QJ399.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\02a70d502c907e478563fa6151993a57.exe3⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\is-LRE2B.tmp\gentlemjmp_ieu.tmp"C:\Users\Admin\AppData\Local\Temp\is-LRE2B.tmp\gentlemjmp_ieu.tmp" /SL5="$27002E,2753625,56832,C:\Users\Admin\AppData\Local\Temp\is-QJ399.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\02a70d502c907e478563fa6151993a57.exe4⤵PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:2716
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4036
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"3⤵PID:224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"3⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"3⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"3⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV4⤵PID:4768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-QJ399.tmp\cmd.bat""3⤵PID:4400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3792
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"3⤵PID:2568
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4036
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:3280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:1612
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"1⤵PID:3536
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-QJ399.tmp\ex.bat""1⤵PID:2728
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV2⤵
- Enumerates processes with tasklist
PID:2704
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4872
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV1⤵
- Enumerates processes with tasklist
PID:2680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV1⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV1⤵PID:1956
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:2612
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:2716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV2⤵PID:2940
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV1⤵PID:4328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV1⤵PID:212
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3036
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:1504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV1⤵PID:4708
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV1⤵PID:4940
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV2⤵
- Enumerates processes with tasklist
PID:212
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4328
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4068
-
C:\Windows\SysWOW64\find.exefind "PID"1⤵PID:960
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq regedit.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3856
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:4792
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:5080
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3836
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:5060
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV1⤵PID:2132
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV2⤵
- Enumerates processes with tasklist
PID:2784
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV1⤵
- Enumerates processes with tasklist
PID:3380
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"1⤵PID:4888
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-45Q5U.tmp\ex.bat""1⤵PID:1972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV1⤵PID:1252
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:3784
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5904 "1⤵PID:2896
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
PID:1872
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:116
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5903 "1⤵PID:4164
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
PID:380
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:4800
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5902 "1⤵PID:4552
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"ESTABLISHED"1⤵PID:4068
-
C:\Windows\SysWOW64\findstr.exefindstr /C:":5900 "1⤵PID:2940
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na1⤵
- Gathers network information
PID:4388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV1⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV1⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV1⤵
- Suspicious use of WriteProcessMemory
PID:2728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV1⤵PID:5088
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "WINDOWTITLE eq Process Monitor*"1⤵
- Enumerates processes with tasklist
PID:1252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV1⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV1⤵PID:3848