Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
Killbat.bat
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Killbat.bat
Resource
win10v2004-20240802-en
General
-
Target
Killbat.bat
-
Size
1KB
-
MD5
fcda81e8fd70aecbaf9e3aab9858a136
-
SHA1
277f7be429baea2cde041965c6e5b4287340ad89
-
SHA256
2cb0e019a442b66ef726131e30c7d061edc6f8dd173fd4ef78755ffb0bd64b18
-
SHA512
1958be2541dfa5e4796a27b9a2c6bd8b132c251577463962836f2d343b3757d24e4d8407c3c61c07f3ddcbc058612adb1146763cdc942974090b3b9fb3a47a83
Malware Config
Signatures
-
pid Process 2816 powershell.exe 2684 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2816 powershell.exe 2684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2816 2480 cmd.exe 31 PID 2480 wrote to memory of 2816 2480 cmd.exe 31 PID 2480 wrote to memory of 2816 2480 cmd.exe 31 PID 2480 wrote to memory of 2684 2480 cmd.exe 32 PID 2480 wrote to memory of 2684 2480 cmd.exe 32 PID 2480 wrote to memory of 2684 2480 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Killbat.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Add-Type -AssemblyName System.Windows.Forms; $result = [System.Windows.Forms.MessageBox]::Show('This script will display a fake blue screen of death. Do you want to continue?', 'Confirmation', [System.Windows.Forms.MessageBoxButtons]::YesNo, [System.Windows.Forms.MessageBoxIcon]::Warning); if ($result -eq [System.Windows.Forms.DialogResult]::No) { exit }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$form = New-Object System.Windows.Forms.Form; $form.Text = 'STOP: C000021A {Fatal System Error}'; $form.BackColor = 'Blue'; $form.FormBorderStyle = 'None'; $form.WindowState = 'Maximized'; $form.TopMost = $true; $label = New-Object System.Windows.Forms.Label; $label.Text = 'The Windows Logon Process system process terminated unexpectedly with a status of 0xC000021A (0x00000000 0x00000000). The system has been shut down.'; $label.ForeColor = 'White'; $label.AutoSize = $true; $label.Top = 50; $label.Left = 50; $form.Controls.Add($label); $form.ShowDialog()"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dbf73c22701c306c5941231179e182ef
SHA14fed9d8538d1dd25c1fdf049d5e580474f816e50
SHA256321d7c86ef4099372920266efb9aa6b5f035a24ed38eac1793a25b63135072e2
SHA512fa2ae77496a98216e6e557b4a4378e78500fd1b4e446d4cce73170ffb8e6d7ec855851e04763efd7319b7a787382b4cc777ec820a807245c4e280c81b40c1786