Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
pcKill.bat
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
pcKill.bat
Resource
win10v2004-20240611-en
windows10-2004-x64
5 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
pcKill.bat
-
Size
352B
-
MD5
41a963b08e8d643bf59a11491ff54b89
-
SHA1
a196bfa5e60eb75e484c6699cca2f38e5aeb17b2
-
SHA256
bc32c45844e9b6b9ce238f7887fa93f2600a9201542d369b7265766b37482be9
-
SHA512
6f91ad42f2f84b33676a3840e6a555022baa708afc40bb7a94947e4736df116f511008d265e12e99e1d24fffacac94e8058a46eccd2310ced60c22ab99da7a1b
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2536 bcdedit.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2924 WMIC.exe Token: SeSecurityPrivilege 2924 WMIC.exe Token: SeTakeOwnershipPrivilege 2924 WMIC.exe Token: SeLoadDriverPrivilege 2924 WMIC.exe Token: SeSystemProfilePrivilege 2924 WMIC.exe Token: SeSystemtimePrivilege 2924 WMIC.exe Token: SeProfSingleProcessPrivilege 2924 WMIC.exe Token: SeIncBasePriorityPrivilege 2924 WMIC.exe Token: SeCreatePagefilePrivilege 2924 WMIC.exe Token: SeBackupPrivilege 2924 WMIC.exe Token: SeRestorePrivilege 2924 WMIC.exe Token: SeShutdownPrivilege 2924 WMIC.exe Token: SeDebugPrivilege 2924 WMIC.exe Token: SeSystemEnvironmentPrivilege 2924 WMIC.exe Token: SeRemoteShutdownPrivilege 2924 WMIC.exe Token: SeUndockPrivilege 2924 WMIC.exe Token: SeManageVolumePrivilege 2924 WMIC.exe Token: 33 2924 WMIC.exe Token: 34 2924 WMIC.exe Token: 35 2924 WMIC.exe Token: SeIncreaseQuotaPrivilege 2924 WMIC.exe Token: SeSecurityPrivilege 2924 WMIC.exe Token: SeTakeOwnershipPrivilege 2924 WMIC.exe Token: SeLoadDriverPrivilege 2924 WMIC.exe Token: SeSystemProfilePrivilege 2924 WMIC.exe Token: SeSystemtimePrivilege 2924 WMIC.exe Token: SeProfSingleProcessPrivilege 2924 WMIC.exe Token: SeIncBasePriorityPrivilege 2924 WMIC.exe Token: SeCreatePagefilePrivilege 2924 WMIC.exe Token: SeBackupPrivilege 2924 WMIC.exe Token: SeRestorePrivilege 2924 WMIC.exe Token: SeShutdownPrivilege 2924 WMIC.exe Token: SeDebugPrivilege 2924 WMIC.exe Token: SeSystemEnvironmentPrivilege 2924 WMIC.exe Token: SeRemoteShutdownPrivilege 2924 WMIC.exe Token: SeUndockPrivilege 2924 WMIC.exe Token: SeManageVolumePrivilege 2924 WMIC.exe Token: 33 2924 WMIC.exe Token: 34 2924 WMIC.exe Token: 35 2924 WMIC.exe Token: SeShutdownPrivilege 2492 shutdown.exe Token: SeRemoteShutdownPrivilege 2492 shutdown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2424 2008 cmd.exe 29 PID 2008 wrote to memory of 2424 2008 cmd.exe 29 PID 2008 wrote to memory of 2424 2008 cmd.exe 29 PID 2424 wrote to memory of 2924 2424 cmd.exe 30 PID 2424 wrote to memory of 2924 2424 cmd.exe 30 PID 2424 wrote to memory of 2924 2424 cmd.exe 30 PID 2008 wrote to memory of 2536 2008 cmd.exe 32 PID 2008 wrote to memory of 2536 2008 cmd.exe 32 PID 2008 wrote to memory of 2536 2008 cmd.exe 32 PID 2008 wrote to memory of 2492 2008 cmd.exe 33 PID 2008 wrote to memory of 2492 2008 cmd.exe 33 PID 2008 wrote to memory of 2492 2008 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\pcKill.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize2⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\Wbem\WMIC.exewmic os get TotalVisibleMemorySize3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set removememory 20965962⤵
- Modifies boot configuration data using bcdedit
PID:2536
-
-
C:\Windows\system32\shutdown.exeshutdown /r2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2788
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2404