Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

ADZP 20 Complex.cmd

windows7-x64

8

ADZP 20 Complex.cmd

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ADZP 20 Complex.cmd

  • Size

    22KB

  • Sample

    240708-yg58aswanm

  • MD5

    875e1190ed85a65570ee53a82a5cacb3

  • SHA1

    8a6c6400eb74847dd4038eb086f1aceb695e2e25

  • SHA256

    bc46f8abc7da6b52a9ff6fff841c0ff989174f06cd1787d9fb55e0afbac1b77e

  • SHA512

    764f8faaeb71f297762be3a38ea340a9da5300eb7213ca03c803219f0496317b3d916648f8a6cac00f299be3bb69db268cf5e22b6ea2d01a6b233b341084466e

  • SSDEEP

    384:2XJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:6bAUAW17JQrgodX/BMg

Score
8/10
defense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationupx

Malware Config

Targets

    • Target

      ADZP 20 Complex.cmd

    • Size

      22KB

    • MD5

      875e1190ed85a65570ee53a82a5cacb3

    • SHA1

      8a6c6400eb74847dd4038eb086f1aceb695e2e25

    • SHA256

      bc46f8abc7da6b52a9ff6fff841c0ff989174f06cd1787d9fb55e0afbac1b77e

    • SHA512

      764f8faaeb71f297762be3a38ea340a9da5300eb7213ca03c803219f0496317b3d916648f8a6cac00f299be3bb69db268cf5e22b6ea2d01a6b233b341084466e

    • SSDEEP

      384:2XJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:6bAUAW17JQrgodX/BMg

    Score
    8/10
    defense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Modifies boot configuration data using bcdedit

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks