Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 17:49

General

  • Target

    sunnyeitatet.bat

  • Size

    999B

  • MD5

    cb9764285d399fce12332ed84fde94ef

  • SHA1

    6a6232ab2215c03b824740e6862b94877e71f5fc

  • SHA256

    4b5209ab46fa0523d376f0a0ba3dd24a91c76eff3fc2d72f2371186a3b24abe2

  • SHA512

    dbca31dfd1364954b8af7575a3190e17309bd5c5767e9c7f0e4fae10dc0e1eae9a8de104642c990a59ac4b294ff5e53731fcebaa0324813ac91622e62691d9b9

Score
1/10

Malware Config

Signatures

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\sunnyeitatet.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1508
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2900
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2492
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2068
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2612
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2628
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2716
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2764
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2780
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2672
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2760
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\Windows\system32\tskill.exe
      tskill explorer
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2264
    • C:\Windows\system32\tree.com
      Tree
      2⤵
        PID:2136
      • C:\Windows\system32\tree.com
        Tree
        2⤵
          PID:3028
        • C:\Windows\system32\tree.com
          Tree
          2⤵
            PID:2536
          • C:\Windows\system32\NETSTAT.EXE
            Netstat -n
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\system32\NETSTAT.EXE
            Netstat -n
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\system32\NETSTAT.EXE
            Netstat -n
            2⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\system32\driverquery.exe
            Driverquery
            2⤵
              PID:2040
          • C:\Program Files\VideoLAN\VLC\vlc.exe
            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SendRename.mp4v"
            1⤵
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2176

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2176-343-0x000007FEF65C0000-0x000007FEF65F4000-memory.dmp

            Filesize

            208KB

          • memory/2176-342-0x000000013FC50000-0x000000013FD48000-memory.dmp

            Filesize

            992KB

          • memory/2176-344-0x000007FEF5300000-0x000007FEF55B6000-memory.dmp

            Filesize

            2.7MB

          • memory/2176-345-0x000007FEF40C0000-0x000007FEF5170000-memory.dmp

            Filesize

            16.7MB

          • memory/2436-10-0x0000000002230000-0x0000000002231000-memory.dmp

            Filesize

            4KB

          • memory/2436-219-0x0000000002230000-0x0000000002231000-memory.dmp

            Filesize

            4KB