Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

Implant au...up.bat

windows7-x64

Implant au...up.bat

windows10-2004-x64

Resubmissions

09/05/2024, 17:38

240509-v77l9seb6v 7

09/05/2024, 17:37

240509-v7crwshb89 7

Analysis

  • max time kernel
    3s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 17:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Implant auto-shutdown into startup.bat

  • Size

    691B

  • MD5

    dec20e0634f78a5cb5e483960411b258

  • SHA1

    fab719f331b9d7f210da1098c91443d4f763e9bc

  • SHA256

    96b69ee3a4311d4fa35d608c4da17ace27243381bb26a3eb94994349d4416455

  • SHA512

    de1cd08c6427e6152612ebfa3be6208cdfbd212fe1ae1bfe80221c3a8adad9297930aa0681986bf2cf768ac012426a4d2cd44f56b8ac3eae9437fb1282ae4b85

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Implant auto-shutdown into startup.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\system32\shutdown.exe
      shutdown -r -f -t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3944055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads