Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
a.bat
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
a.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
a.bat
-
Size
25KB
-
MD5
1a124ac47a96d52728cc1177adb0f844
-
SHA1
b11438028476f3724fb964054dc1812b16d4b85f
-
SHA256
4f024d3a2b89341e025d7b9ca2bcc111c741765972066c9d12da2501f09c6524
-
SHA512
925c8924f2bb950fc94c849760e5483a66845b9f21de842fb64ebc8d3773ee934387ac86eac29a3fbfa9c4d32c246c955d60cf03ba7029c797264f72510a2eba
-
SSDEEP
768:DuVHO397H8tymn+pdTXj0DfQhsxifjqXXWybXtyR:DuZC
Score
1/10
Malware Config
Signatures
-
Delays execution with timeout.exe 1 IoCs
pid Process 2472 timeout.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 2916 tasklist.exe 2968 tasklist.exe 564 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemProfilePrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeProfSingleProcessPrivilege 3036 WMIC.exe Token: SeIncBasePriorityPrivilege 3036 WMIC.exe Token: SeCreatePagefilePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe Token: SeRestorePrivilege 3036 WMIC.exe Token: SeShutdownPrivilege 3036 WMIC.exe Token: SeDebugPrivilege 3036 WMIC.exe Token: SeSystemEnvironmentPrivilege 3036 WMIC.exe Token: SeRemoteShutdownPrivilege 3036 WMIC.exe Token: SeUndockPrivilege 3036 WMIC.exe Token: SeManageVolumePrivilege 3036 WMIC.exe Token: 33 3036 WMIC.exe Token: 34 3036 WMIC.exe Token: 35 3036 WMIC.exe Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemProfilePrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeProfSingleProcessPrivilege 3036 WMIC.exe Token: SeIncBasePriorityPrivilege 3036 WMIC.exe Token: SeCreatePagefilePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe Token: SeRestorePrivilege 3036 WMIC.exe Token: SeShutdownPrivilege 3036 WMIC.exe Token: SeDebugPrivilege 3036 WMIC.exe Token: SeSystemEnvironmentPrivilege 3036 WMIC.exe Token: SeRemoteShutdownPrivilege 3036 WMIC.exe Token: SeUndockPrivilege 3036 WMIC.exe Token: SeManageVolumePrivilege 3036 WMIC.exe Token: 33 3036 WMIC.exe Token: 34 3036 WMIC.exe Token: 35 3036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2124 1772 cmd.exe 29 PID 1772 wrote to memory of 2124 1772 cmd.exe 29 PID 1772 wrote to memory of 2124 1772 cmd.exe 29 PID 1772 wrote to memory of 2364 1772 cmd.exe 30 PID 1772 wrote to memory of 2364 1772 cmd.exe 30 PID 1772 wrote to memory of 2364 1772 cmd.exe 30 PID 1772 wrote to memory of 2312 1772 cmd.exe 31 PID 1772 wrote to memory of 2312 1772 cmd.exe 31 PID 1772 wrote to memory of 2312 1772 cmd.exe 31 PID 1772 wrote to memory of 2332 1772 cmd.exe 32 PID 1772 wrote to memory of 2332 1772 cmd.exe 32 PID 1772 wrote to memory of 2332 1772 cmd.exe 32 PID 1772 wrote to memory of 3044 1772 cmd.exe 33 PID 1772 wrote to memory of 3044 1772 cmd.exe 33 PID 1772 wrote to memory of 3044 1772 cmd.exe 33 PID 1772 wrote to memory of 2728 1772 cmd.exe 34 PID 1772 wrote to memory of 2728 1772 cmd.exe 34 PID 1772 wrote to memory of 2728 1772 cmd.exe 34 PID 1772 wrote to memory of 3032 1772 cmd.exe 35 PID 1772 wrote to memory of 3032 1772 cmd.exe 35 PID 1772 wrote to memory of 3032 1772 cmd.exe 35 PID 1772 wrote to memory of 2588 1772 cmd.exe 36 PID 1772 wrote to memory of 2588 1772 cmd.exe 36 PID 1772 wrote to memory of 2588 1772 cmd.exe 36 PID 1772 wrote to memory of 2080 1772 cmd.exe 37 PID 1772 wrote to memory of 2080 1772 cmd.exe 37 PID 1772 wrote to memory of 2080 1772 cmd.exe 37 PID 1772 wrote to memory of 3068 1772 cmd.exe 38 PID 1772 wrote to memory of 3068 1772 cmd.exe 38 PID 1772 wrote to memory of 3068 1772 cmd.exe 38 PID 1772 wrote to memory of 2140 1772 cmd.exe 39 PID 1772 wrote to memory of 2140 1772 cmd.exe 39 PID 1772 wrote to memory of 2140 1772 cmd.exe 39 PID 1772 wrote to memory of 2640 1772 cmd.exe 40 PID 1772 wrote to memory of 2640 1772 cmd.exe 40 PID 1772 wrote to memory of 2640 1772 cmd.exe 40 PID 1772 wrote to memory of 2600 1772 cmd.exe 41 PID 1772 wrote to memory of 2600 1772 cmd.exe 41 PID 1772 wrote to memory of 2600 1772 cmd.exe 41 PID 1772 wrote to memory of 2692 1772 cmd.exe 42 PID 1772 wrote to memory of 2692 1772 cmd.exe 42 PID 1772 wrote to memory of 2692 1772 cmd.exe 42 PID 1772 wrote to memory of 2708 1772 cmd.exe 43 PID 1772 wrote to memory of 2708 1772 cmd.exe 43 PID 1772 wrote to memory of 2708 1772 cmd.exe 43 PID 1772 wrote to memory of 2712 1772 cmd.exe 44 PID 1772 wrote to memory of 2712 1772 cmd.exe 44 PID 1772 wrote to memory of 2712 1772 cmd.exe 44 PID 1772 wrote to memory of 2732 1772 cmd.exe 45 PID 1772 wrote to memory of 2732 1772 cmd.exe 45 PID 1772 wrote to memory of 2732 1772 cmd.exe 45 PID 1772 wrote to memory of 2720 1772 cmd.exe 46 PID 1772 wrote to memory of 2720 1772 cmd.exe 46 PID 1772 wrote to memory of 2720 1772 cmd.exe 46 PID 1772 wrote to memory of 2696 1772 cmd.exe 47 PID 1772 wrote to memory of 2696 1772 cmd.exe 47 PID 1772 wrote to memory of 2696 1772 cmd.exe 47 PID 1772 wrote to memory of 2644 1772 cmd.exe 48 PID 1772 wrote to memory of 2644 1772 cmd.exe 48 PID 1772 wrote to memory of 2644 1772 cmd.exe 48 PID 1772 wrote to memory of 2604 1772 cmd.exe 49 PID 1772 wrote to memory of 2604 1772 cmd.exe 49 PID 1772 wrote to memory of 2604 1772 cmd.exe 49 PID 1772 wrote to memory of 2848 1772 cmd.exe 50 -
Views/modifies file attributes 1 TTPs 22 IoCs
pid Process 2708 attrib.exe 2080 attrib.exe 2692 attrib.exe 2140 attrib.exe 2640 attrib.exe 2712 attrib.exe 2732 attrib.exe 2644 attrib.exe 2604 attrib.exe 2332 attrib.exe 3068 attrib.exe 3032 attrib.exe 2600 attrib.exe 2696 attrib.exe 2768 attrib.exe 2364 attrib.exe 2312 attrib.exe 2588 attrib.exe 2720 attrib.exe 2848 attrib.exe 3044 attrib.exe 2728 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 0 /f2⤵PID:2124
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\1390520447"2⤵
- Views/modifies file attributes
PID:2364
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin"2⤵
- Views/modifies file attributes
PID:2312
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Low"2⤵
- Views/modifies file attributes
PID:2332
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219"2⤵
- Views/modifies file attributes
PID:3044
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219"2⤵
- Views/modifies file attributes
PID:2728
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files"2⤵
- Views/modifies file attributes
PID:3032
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456"2⤵
- Views/modifies file attributes
PID:2588
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031"2⤵
- Views/modifies file attributes
PID:2080
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\WPDNSE"2⤵
- Views/modifies file attributes
PID:3068
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\*.tmp\*" /S /D2⤵
- Views/modifies file attributes
PID:2140
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2640
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2600
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2692
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2708
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2712
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2732
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2720
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2696
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2644
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2604
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2848
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get product /value | find "Product"2⤵PID:2744
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get product /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\system32\find.exefind "Product"3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get name /value | find "Name"2⤵PID:2760
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\system32\find.exefind "Name"3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get caption /value | find "Caption"2⤵PID:2572
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption /value3⤵PID:2204
-
-
C:\Windows\system32\find.exefind "Caption"3⤵PID:2940
-
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
PID:2916
-
-
C:\Windows\system32\find.exefind /i "VMwareService.exe"2⤵PID:2932
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
PID:2968
-
-
C:\Windows\system32\find.exefind /i "VMwareTray.exe"2⤵PID:2964
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
PID:564
-
-
C:\Windows\system32\find.exefind /i "provisioner.exe"2⤵PID:2392
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak2⤵
- Delays execution with timeout.exe
PID:2472
-