Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/06/2024, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
Batlez Tweaks.bat
Resource
win11-20240426-en
General
-
Target
Batlez Tweaks.bat
-
Size
173KB
-
MD5
253e84d7b66dc7dc4922ea02958757a1
-
SHA1
384d054d833dcb36116f6c9257fbfb5fe47b843d
-
SHA256
5271bd7e9e74c25bbdc1e973b7fdad634a643942ad6171ab67587e4b850fee91
-
SHA512
91f13e643fa97a19d1c75b36802997057a7825379c2b2d05c83be27fd354d1a38e83d7699eaa442ed6464de5dad94628bd8008e5834b1f894087ca9a83e8b45b
-
SSDEEP
1536:xRlWO12I9CzhCCytht1MF+VWFUTUjU08o63b7H/UoiuU:r0zACytht1MF+VWSAwHjHBiP
Malware Config
Signatures
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3436 powershell.exe 3436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3436 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3436 4856 cmd.exe 78 PID 4856 wrote to memory of 3436 4856 cmd.exe 78 PID 3436 wrote to memory of 3868 3436 powershell.exe 79 PID 3436 wrote to memory of 3868 3436 powershell.exe 79 PID 3868 wrote to memory of 1948 3868 cmd.exe 81 PID 3868 wrote to memory of 1948 3868 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Batlez Tweaks.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\Batlez Tweaks.bat"' am_admin2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Batlez Tweaks.bat" am_admin3⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1948
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82