Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3Files/Apps/7z.bat
windows7-x64
10Files/Apps...F4.bat
windows7-x64
8Files/Apps/bts.bat
windows7-x64
3Files/Apps/chrome.bat
windows7-x64
8Files/Apps/ctt.bat
windows7-x64
3Files/Apps...ch.bat
windows7-x64
6Files/Apps...ox.bat
windows7-x64
1Files/Apps/flux.bat
windows7-x64
3Files/Apps/geek.bat
windows7-x64
10Files/Apps/git.bat
windows7-x64
8Files/Apps/logo.bat
windows7-x64
3Files/Apps/pcm.bat
windows7-x64
8Files/Apps/ps7.bat
windows7-x64
10Files/Apps/pswin7.bat
windows7-x64
10Files/Apps/winget.bat
windows7-x64
3Files/Apps...ys.bat
windows7-x64
3Files/Back...ry.bat
windows7-x64
1Files/Comm...me.bat
windows7-x64
1Files/Comp...ps.bat
windows7-x64
1Files/Comp...up.bat
windows7-x64
1Files/GPEE.bat
windows7-x64
1Files/IPGe...or.exe
windows7-x64
3Files/IPStealer.bat
windows7-x64
1Files/Impo...ps.bat
windows7-x64
1Files/InfoFinder.bat
windows7-x64
1Files/Malw...et.bat
windows7-x64
1Files/Newt...on.dll
windows7-x64
1Files/Pass...or.bat
windows7-x64
1Files/RAUP.bat
windows7-x64
1Files/SMBB...er.bat
windows7-x64
1Files/SSAMBYO.bat
windows7-x64
8Files/Schn...s).bat
windows7-x64
1Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Files/Apps/7z.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Files/Apps/SuperF4.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral3
Sample
Files/Apps/bts.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Files/Apps/chrome.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral5
Sample
Files/Apps/ctt.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
Files/Apps/fastfetch.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
Files/Apps/firefox.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Files/Apps/flux.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
Files/Apps/geek.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Files/Apps/git.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral11
Sample
Files/Apps/logo.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Files/Apps/pcm.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
Files/Apps/ps7.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
Files/Apps/pswin7.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral15
Sample
Files/Apps/winget.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
Files/Apps/wintoys.bat
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral17
Sample
Files/BackupRegistry.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
Files/CommandLineGame.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
Files/Components/Import Backups.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
Files/Components/Registry Backup.bat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral21
Sample
Files/GPEE.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Files/IPGeolocator.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
Files/IPStealer.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
Files/ImportBackups.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
Files/InfoFinder.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Files/Malwarebytes-Premium-Reset.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral27
Sample
Files/Newtonsoft.Json.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Files/PasswordGenerator.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
Files/RAUP.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
Files/SMBBruteforcer.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral31
Sample
Files/SSAMBYO.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
Files/Schnuker/Files/Run Me (Instructions).bat
Resource
win7-20240903-en
windows7-x64
General
-
Target
Files/SSAMBYO.bat
-
Size
1KB
-
MD5
cdfd34dae8056336ee01477edb3e3870
-
SHA1
d241fa7c0769e65bfd50b370e444b895b499595d
-
SHA256
6cd8db62b821ac9ba208194a5a10da0b28661bdea600c6a7adbb0c1acb744f5e
-
SHA512
9dc12bcd9cfc5de24c4000f2e3fa9ae77a56b8d8b38fe0ce3e1a499be0e62b3b47f2d972a38e4f915dd7c71281c79799295c747b2f5e47e33a50f4df2b3b364f
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 12 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates reg.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 372 wrote to memory of 320 372 cmd.exe 31 PID 372 wrote to memory of 320 372 cmd.exe 31 PID 372 wrote to memory of 320 372 cmd.exe 31 PID 372 wrote to memory of 3052 372 cmd.exe 32 PID 372 wrote to memory of 3052 372 cmd.exe 32 PID 372 wrote to memory of 3052 372 cmd.exe 32 PID 372 wrote to memory of 2696 372 cmd.exe 33 PID 372 wrote to memory of 2696 372 cmd.exe 33 PID 372 wrote to memory of 2696 372 cmd.exe 33 PID 372 wrote to memory of 2428 372 cmd.exe 34 PID 372 wrote to memory of 2428 372 cmd.exe 34 PID 372 wrote to memory of 2428 372 cmd.exe 34 PID 372 wrote to memory of 768 372 cmd.exe 35 PID 372 wrote to memory of 768 372 cmd.exe 35 PID 372 wrote to memory of 768 372 cmd.exe 35 PID 372 wrote to memory of 2268 372 cmd.exe 36 PID 372 wrote to memory of 2268 372 cmd.exe 36 PID 372 wrote to memory of 2268 372 cmd.exe 36 PID 372 wrote to memory of 2296 372 cmd.exe 37 PID 372 wrote to memory of 2296 372 cmd.exe 37 PID 372 wrote to memory of 2296 372 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Files\SSAMBYO.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:320
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies" /f2⤵PID:3052
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\WindowsSelfHost" /f2⤵PID:2696
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies" /f2⤵
- Manipulates Digital Signatures
PID:2428
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\WOW6432Node\Microsoft\Policies" /f2⤵PID:768
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies" /f2⤵PID:2268
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware2⤵PID:2296
-