Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
a.bat
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
a.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
a.bat
-
Size
25KB
-
MD5
1a124ac47a96d52728cc1177adb0f844
-
SHA1
b11438028476f3724fb964054dc1812b16d4b85f
-
SHA256
4f024d3a2b89341e025d7b9ca2bcc111c741765972066c9d12da2501f09c6524
-
SHA512
925c8924f2bb950fc94c849760e5483a66845b9f21de842fb64ebc8d3773ee934387ac86eac29a3fbfa9c4d32c246c955d60cf03ba7029c797264f72510a2eba
-
SSDEEP
768:DuVHO397H8tymn+pdTXj0DfQhsxifjqXXWybXtyR:DuZC
Score
1/10
Malware Config
Signatures
-
Delays execution with timeout.exe 1 IoCs
pid Process 1456 timeout.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 5048 tasklist.exe 2212 tasklist.exe 920 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1680 WMIC.exe Token: SeSecurityPrivilege 1680 WMIC.exe Token: SeTakeOwnershipPrivilege 1680 WMIC.exe Token: SeLoadDriverPrivilege 1680 WMIC.exe Token: SeSystemProfilePrivilege 1680 WMIC.exe Token: SeSystemtimePrivilege 1680 WMIC.exe Token: SeProfSingleProcessPrivilege 1680 WMIC.exe Token: SeIncBasePriorityPrivilege 1680 WMIC.exe Token: SeCreatePagefilePrivilege 1680 WMIC.exe Token: SeBackupPrivilege 1680 WMIC.exe Token: SeRestorePrivilege 1680 WMIC.exe Token: SeShutdownPrivilege 1680 WMIC.exe Token: SeDebugPrivilege 1680 WMIC.exe Token: SeSystemEnvironmentPrivilege 1680 WMIC.exe Token: SeRemoteShutdownPrivilege 1680 WMIC.exe Token: SeUndockPrivilege 1680 WMIC.exe Token: SeManageVolumePrivilege 1680 WMIC.exe Token: 33 1680 WMIC.exe Token: 34 1680 WMIC.exe Token: 35 1680 WMIC.exe Token: 36 1680 WMIC.exe Token: SeIncreaseQuotaPrivilege 1680 WMIC.exe Token: SeSecurityPrivilege 1680 WMIC.exe Token: SeTakeOwnershipPrivilege 1680 WMIC.exe Token: SeLoadDriverPrivilege 1680 WMIC.exe Token: SeSystemProfilePrivilege 1680 WMIC.exe Token: SeSystemtimePrivilege 1680 WMIC.exe Token: SeProfSingleProcessPrivilege 1680 WMIC.exe Token: SeIncBasePriorityPrivilege 1680 WMIC.exe Token: SeCreatePagefilePrivilege 1680 WMIC.exe Token: SeBackupPrivilege 1680 WMIC.exe Token: SeRestorePrivilege 1680 WMIC.exe Token: SeShutdownPrivilege 1680 WMIC.exe Token: SeDebugPrivilege 1680 WMIC.exe Token: SeSystemEnvironmentPrivilege 1680 WMIC.exe Token: SeRemoteShutdownPrivilege 1680 WMIC.exe Token: SeUndockPrivilege 1680 WMIC.exe Token: SeManageVolumePrivilege 1680 WMIC.exe Token: 33 1680 WMIC.exe Token: 34 1680 WMIC.exe Token: 35 1680 WMIC.exe Token: 36 1680 WMIC.exe Token: SeIncreaseQuotaPrivilege 3752 WMIC.exe Token: SeSecurityPrivilege 3752 WMIC.exe Token: SeTakeOwnershipPrivilege 3752 WMIC.exe Token: SeLoadDriverPrivilege 3752 WMIC.exe Token: SeSystemProfilePrivilege 3752 WMIC.exe Token: SeSystemtimePrivilege 3752 WMIC.exe Token: SeProfSingleProcessPrivilege 3752 WMIC.exe Token: SeIncBasePriorityPrivilege 3752 WMIC.exe Token: SeCreatePagefilePrivilege 3752 WMIC.exe Token: SeBackupPrivilege 3752 WMIC.exe Token: SeRestorePrivilege 3752 WMIC.exe Token: SeShutdownPrivilege 3752 WMIC.exe Token: SeDebugPrivilege 3752 WMIC.exe Token: SeSystemEnvironmentPrivilege 3752 WMIC.exe Token: SeRemoteShutdownPrivilege 3752 WMIC.exe Token: SeUndockPrivilege 3752 WMIC.exe Token: SeManageVolumePrivilege 3752 WMIC.exe Token: 33 3752 WMIC.exe Token: 34 3752 WMIC.exe Token: 35 3752 WMIC.exe Token: 36 3752 WMIC.exe Token: SeIncreaseQuotaPrivilege 3752 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3976 3016 cmd.exe 83 PID 3016 wrote to memory of 3976 3016 cmd.exe 83 PID 3016 wrote to memory of 4684 3016 cmd.exe 84 PID 3016 wrote to memory of 4684 3016 cmd.exe 84 PID 3016 wrote to memory of 2988 3016 cmd.exe 85 PID 3016 wrote to memory of 2988 3016 cmd.exe 85 PID 3016 wrote to memory of 4516 3016 cmd.exe 86 PID 3016 wrote to memory of 4516 3016 cmd.exe 86 PID 3016 wrote to memory of 2188 3016 cmd.exe 87 PID 3016 wrote to memory of 2188 3016 cmd.exe 87 PID 3016 wrote to memory of 4964 3016 cmd.exe 88 PID 3016 wrote to memory of 4964 3016 cmd.exe 88 PID 3016 wrote to memory of 4672 3016 cmd.exe 89 PID 3016 wrote to memory of 4672 3016 cmd.exe 89 PID 3016 wrote to memory of 2736 3016 cmd.exe 90 PID 3016 wrote to memory of 2736 3016 cmd.exe 90 PID 3016 wrote to memory of 2764 3016 cmd.exe 91 PID 3016 wrote to memory of 2764 3016 cmd.exe 91 PID 3016 wrote to memory of 2936 3016 cmd.exe 92 PID 3016 wrote to memory of 2936 3016 cmd.exe 92 PID 3016 wrote to memory of 1148 3016 cmd.exe 93 PID 3016 wrote to memory of 1148 3016 cmd.exe 93 PID 3016 wrote to memory of 1700 3016 cmd.exe 94 PID 3016 wrote to memory of 1700 3016 cmd.exe 94 PID 3016 wrote to memory of 3856 3016 cmd.exe 95 PID 3016 wrote to memory of 3856 3016 cmd.exe 95 PID 3016 wrote to memory of 2392 3016 cmd.exe 96 PID 3016 wrote to memory of 2392 3016 cmd.exe 96 PID 3016 wrote to memory of 2916 3016 cmd.exe 97 PID 3016 wrote to memory of 2916 3016 cmd.exe 97 PID 3016 wrote to memory of 2644 3016 cmd.exe 98 PID 3016 wrote to memory of 2644 3016 cmd.exe 98 PID 3016 wrote to memory of 5008 3016 cmd.exe 99 PID 3016 wrote to memory of 5008 3016 cmd.exe 99 PID 3016 wrote to memory of 4508 3016 cmd.exe 100 PID 3016 wrote to memory of 4508 3016 cmd.exe 100 PID 3016 wrote to memory of 2640 3016 cmd.exe 101 PID 3016 wrote to memory of 2640 3016 cmd.exe 101 PID 3016 wrote to memory of 2412 3016 cmd.exe 102 PID 3016 wrote to memory of 2412 3016 cmd.exe 102 PID 3016 wrote to memory of 3316 3016 cmd.exe 103 PID 3016 wrote to memory of 3316 3016 cmd.exe 103 PID 3016 wrote to memory of 4880 3016 cmd.exe 104 PID 3016 wrote to memory of 4880 3016 cmd.exe 104 PID 3016 wrote to memory of 2096 3016 cmd.exe 105 PID 3016 wrote to memory of 2096 3016 cmd.exe 105 PID 3016 wrote to memory of 3572 3016 cmd.exe 106 PID 3016 wrote to memory of 3572 3016 cmd.exe 106 PID 3572 wrote to memory of 1680 3572 cmd.exe 107 PID 3572 wrote to memory of 1680 3572 cmd.exe 107 PID 3572 wrote to memory of 632 3572 cmd.exe 108 PID 3572 wrote to memory of 632 3572 cmd.exe 108 PID 3016 wrote to memory of 4492 3016 cmd.exe 110 PID 3016 wrote to memory of 4492 3016 cmd.exe 110 PID 4492 wrote to memory of 3752 4492 cmd.exe 111 PID 4492 wrote to memory of 3752 4492 cmd.exe 111 PID 4492 wrote to memory of 3400 4492 cmd.exe 112 PID 4492 wrote to memory of 3400 4492 cmd.exe 112 PID 3016 wrote to memory of 3608 3016 cmd.exe 113 PID 3016 wrote to memory of 3608 3016 cmd.exe 113 PID 3608 wrote to memory of 808 3608 cmd.exe 114 PID 3608 wrote to memory of 808 3608 cmd.exe 114 PID 3608 wrote to memory of 3392 3608 cmd.exe 115 PID 3608 wrote to memory of 3392 3608 cmd.exe 115 -
Views/modifies file attributes 1 TTPs 22 IoCs
pid Process 2644 attrib.exe 5008 attrib.exe 2412 attrib.exe 3316 attrib.exe 4880 attrib.exe 2392 attrib.exe 2916 attrib.exe 2936 attrib.exe 1148 attrib.exe 2640 attrib.exe 4684 attrib.exe 4516 attrib.exe 3856 attrib.exe 2096 attrib.exe 4672 attrib.exe 2764 attrib.exe 4964 attrib.exe 2736 attrib.exe 1700 attrib.exe 4508 attrib.exe 2988 attrib.exe 2188 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 0 /f2⤵PID:3976
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\828675283"2⤵
- Views/modifies file attributes
PID:4684
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\acrocef_low"2⤵
- Views/modifies file attributes
PID:2988
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin"2⤵
- Views/modifies file attributes
PID:4516
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Low"2⤵
- Views/modifies file attributes
PID:2188
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219"2⤵
- Views/modifies file attributes
PID:4964
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219"2⤵
- Views/modifies file attributes
PID:4672
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files"2⤵
- Views/modifies file attributes
PID:2736
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\OneNote"2⤵
- Views/modifies file attributes
PID:2764
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\{067D9787-1BC0-4E04-8C09-CA87A060680A}"2⤵
- Views/modifies file attributes
PID:2936
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\*.tmp\*" /S /D2⤵
- Views/modifies file attributes
PID:1148
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:1700
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:3856
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2392
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2916
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2644
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:5008
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:4508
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2640
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2412
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:3316
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:4880
-
-
C:\Windows\system32\attrib.exeattrib +h ""2⤵
- Views/modifies file attributes
PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get product /value | find "Product"2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get product /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\system32\find.exefind "Product"3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get name /value | find "Name"2⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get name /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
C:\Windows\system32\find.exefind "Name"3⤵PID:3400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get caption /value | find "Caption"2⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption /value3⤵PID:808
-
-
C:\Windows\system32\find.exefind "Caption"3⤵PID:3392
-
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
PID:5048
-
-
C:\Windows\system32\find.exefind /i "VMwareService.exe"2⤵PID:1736
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
PID:2212
-
-
C:\Windows\system32\find.exefind /i "VMwareTray.exe"2⤵PID:3952
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
PID:920
-
-
C:\Windows\system32\find.exefind /i "provisioner.exe"2⤵PID:2552
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak2⤵
- Delays execution with timeout.exe
PID:1456
-