Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2024, 22:18

General

  • Target

    bat.bat

  • Size

    1KB

  • MD5

    56398e58a17f184ec469763c0325a541

  • SHA1

    e8b9746a0269e6ef8ad6b38008e4f79617189be9

  • SHA256

    475b0166b7cd0a73edbf22a1789e545588a8fa36e72339aa5c7560ab2bab3c57

  • SHA512

    098ff9d21785637118a5847e12ca526c2e051e2babab61b31193199cd8575a4fda7cc54a2eeaf9441272b6fbf8b5b32e52d2b05c55e11ec21fca825e19b82a7f

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c hostname
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\system32\HOSTNAME.EXE
        hostname
        3⤵
          PID:872
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic os get Caption | findstr /r /v "^$"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic os get Caption
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Windows\system32\findstr.exe
          findstr /r /v "^$"
          3⤵
            PID:4996
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic computersystem get model | findstr /r /v "^$"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4692
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic computersystem get model
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\system32\findstr.exe
            findstr /r /v "^$"
            3⤵
              PID:460
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wmic cpu get name | findstr /r /v "^$"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic cpu get name
              3⤵
                PID:1072
              • C:\Windows\system32\findstr.exe
                findstr /r /v "^$"
                3⤵
                  PID:652
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4" | findstr /r /v "^$"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1844
                • C:\Windows\system32\ipconfig.exe
                  ipconfig
                  3⤵
                  • Gathers network information
                  PID:1480
                • C:\Windows\system32\findstr.exe
                  findstr /i "IPv4"
                  3⤵
                    PID:2744
                  • C:\Windows\system32\findstr.exe
                    findstr /r /v "^$"
                    3⤵
                      PID:1896
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command $systemInfo = @{
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:376

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_veed5whu.nz5.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • memory/376-5-0x000001D208150000-0x000001D208172000-memory.dmp

                  Filesize

                  136KB