Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

1

اخترقV2.bat

windows7-x64

اخترقV2.bat

windows10-2004-x64

Analysis

  • max time kernel
    6s
  • max time network
    8s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 20:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    اخترقV2.bat

  • Size

    305B

  • MD5

    e00b5b8cee3793e1f8ebc839d1c78ded

  • SHA1

    e8d66c0a6f37dd91267f8c62194e3808a89c69b7

  • SHA256

    600989d3a37ca947b061723663e034cc8180bc17379093875e9af76c804ea205

  • SHA512

    1edc1984e4562347a704b1230c384c50cbe5668ade164868004d6030dce84f49cffa09dc04a33806da4ed7778e34e3e89a191aaa7f83002fbec7debb3c7914cf

Score
1/10

Malware Config

Signatures

  • Modifies data under HKEY_USERS 15 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\اخترقV2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "AddApprove.ps1" "AddApprove.ps1"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "ApproveGet.ps1" "ApproveGet.docx"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "BlockPublish.ps1" "BlockPublish.zip"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "CheckpointAssert.ps1" "CheckpointAssert.midi"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1428
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "CompareEdit.ps1" "CompareEdit.au"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "CompressMerge.ps1" "CompressMerge.shtml"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "ConfirmUpdate.ps1" "ConfirmUpdate.M2V"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "DisableFind.ps1" "DisableFind.jfif"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "EditOut.ps1" "EditOut.raw"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "GetLimit.ps1" "GetLimit.ps1"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "ImportWait.ps1" "ImportWait.tif"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "InstallFind.ps1" "InstallFind.ram"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:456
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "LockFind.ps1" "LockFind.ppt"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4680
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "MeasureRequest.ps1" "MeasureRequest.M2V"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3864
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "Microsoft Edge.ps1" "Microsoft Edge.lnk"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "PingFind.ps1" "PingFind.lock"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3244
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "ProtectResume.ps1" "ProtectResume.bmp"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "ResizeInvoke.ps1" "ResizeInvoke.dxf"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "RevokeInstall.ps1" "RevokeInstall.aifc"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3292
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "SyncUnregister.ps1" "SyncUnregister.wmf"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "TraceClose.ps1" "TraceClose.AAC"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4352
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UnblockSave.ps1" "UnblockSave.tiff"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4076
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UndoAdd.ps1" "UndoAdd.mpe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:228
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UndoSearch.ps1" "UndoSearch.xltm"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UnlockBackup.ps1" "UnlockBackup.m4v"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3288
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UnlockSelect.ps1" "UnlockSelect.docx"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5004
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UnprotectEnter.ps1" "UnprotectEnter.wmf"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "UseSkip.ps1" "UseSkip.pdf"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4516
    • C:\Program Files\7-Zip\7z.exe
      "C:\Program Files\7-Zip\7z.exe" to -tzip "WriteResize.ps1" "WriteResize.ogg"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 3
      2⤵
      • Runs ping.exe
      PID:1832
    • C:\Windows\system32\shutdown.exe
      shutdown /r /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4192
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39b9055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads