Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
bat.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bat.bat
Resource
win10v2004-20240802-en
General
-
Target
bat.bat
-
Size
1KB
-
MD5
56398e58a17f184ec469763c0325a541
-
SHA1
e8b9746a0269e6ef8ad6b38008e4f79617189be9
-
SHA256
475b0166b7cd0a73edbf22a1789e545588a8fa36e72339aa5c7560ab2bab3c57
-
SHA512
098ff9d21785637118a5847e12ca526c2e051e2babab61b31193199cd8575a4fda7cc54a2eeaf9441272b6fbf8b5b32e52d2b05c55e11ec21fca825e19b82a7f
Malware Config
Signatures
-
pid Process 376 powershell.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1480 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 376 powershell.exe 376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1660 WMIC.exe Token: SeSecurityPrivilege 1660 WMIC.exe Token: SeTakeOwnershipPrivilege 1660 WMIC.exe Token: SeLoadDriverPrivilege 1660 WMIC.exe Token: SeSystemProfilePrivilege 1660 WMIC.exe Token: SeSystemtimePrivilege 1660 WMIC.exe Token: SeProfSingleProcessPrivilege 1660 WMIC.exe Token: SeIncBasePriorityPrivilege 1660 WMIC.exe Token: SeCreatePagefilePrivilege 1660 WMIC.exe Token: SeBackupPrivilege 1660 WMIC.exe Token: SeRestorePrivilege 1660 WMIC.exe Token: SeShutdownPrivilege 1660 WMIC.exe Token: SeDebugPrivilege 1660 WMIC.exe Token: SeSystemEnvironmentPrivilege 1660 WMIC.exe Token: SeRemoteShutdownPrivilege 1660 WMIC.exe Token: SeUndockPrivilege 1660 WMIC.exe Token: SeManageVolumePrivilege 1660 WMIC.exe Token: 33 1660 WMIC.exe Token: 34 1660 WMIC.exe Token: 35 1660 WMIC.exe Token: 36 1660 WMIC.exe Token: SeIncreaseQuotaPrivilege 1660 WMIC.exe Token: SeSecurityPrivilege 1660 WMIC.exe Token: SeTakeOwnershipPrivilege 1660 WMIC.exe Token: SeLoadDriverPrivilege 1660 WMIC.exe Token: SeSystemProfilePrivilege 1660 WMIC.exe Token: SeSystemtimePrivilege 1660 WMIC.exe Token: SeProfSingleProcessPrivilege 1660 WMIC.exe Token: SeIncBasePriorityPrivilege 1660 WMIC.exe Token: SeCreatePagefilePrivilege 1660 WMIC.exe Token: SeBackupPrivilege 1660 WMIC.exe Token: SeRestorePrivilege 1660 WMIC.exe Token: SeShutdownPrivilege 1660 WMIC.exe Token: SeDebugPrivilege 1660 WMIC.exe Token: SeSystemEnvironmentPrivilege 1660 WMIC.exe Token: SeRemoteShutdownPrivilege 1660 WMIC.exe Token: SeUndockPrivilege 1660 WMIC.exe Token: SeManageVolumePrivilege 1660 WMIC.exe Token: 33 1660 WMIC.exe Token: 34 1660 WMIC.exe Token: 35 1660 WMIC.exe Token: 36 1660 WMIC.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeSecurityPrivilege 2860 WMIC.exe Token: SeTakeOwnershipPrivilege 2860 WMIC.exe Token: SeLoadDriverPrivilege 2860 WMIC.exe Token: SeSystemProfilePrivilege 2860 WMIC.exe Token: SeSystemtimePrivilege 2860 WMIC.exe Token: SeProfSingleProcessPrivilege 2860 WMIC.exe Token: SeIncBasePriorityPrivilege 2860 WMIC.exe Token: SeCreatePagefilePrivilege 2860 WMIC.exe Token: SeBackupPrivilege 2860 WMIC.exe Token: SeRestorePrivilege 2860 WMIC.exe Token: SeShutdownPrivilege 2860 WMIC.exe Token: SeDebugPrivilege 2860 WMIC.exe Token: SeSystemEnvironmentPrivilege 2860 WMIC.exe Token: SeRemoteShutdownPrivilege 2860 WMIC.exe Token: SeUndockPrivilege 2860 WMIC.exe Token: SeManageVolumePrivilege 2860 WMIC.exe Token: 33 2860 WMIC.exe Token: 34 2860 WMIC.exe Token: 35 2860 WMIC.exe Token: 36 2860 WMIC.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1656 wrote to memory of 856 1656 cmd.exe 83 PID 1656 wrote to memory of 856 1656 cmd.exe 83 PID 856 wrote to memory of 872 856 cmd.exe 84 PID 856 wrote to memory of 872 856 cmd.exe 84 PID 1656 wrote to memory of 1236 1656 cmd.exe 85 PID 1656 wrote to memory of 1236 1656 cmd.exe 85 PID 1236 wrote to memory of 1660 1236 cmd.exe 86 PID 1236 wrote to memory of 1660 1236 cmd.exe 86 PID 1236 wrote to memory of 4996 1236 cmd.exe 87 PID 1236 wrote to memory of 4996 1236 cmd.exe 87 PID 1656 wrote to memory of 4692 1656 cmd.exe 89 PID 1656 wrote to memory of 4692 1656 cmd.exe 89 PID 4692 wrote to memory of 2860 4692 cmd.exe 90 PID 4692 wrote to memory of 2860 4692 cmd.exe 90 PID 4692 wrote to memory of 460 4692 cmd.exe 91 PID 4692 wrote to memory of 460 4692 cmd.exe 91 PID 1656 wrote to memory of 1044 1656 cmd.exe 92 PID 1656 wrote to memory of 1044 1656 cmd.exe 92 PID 1044 wrote to memory of 1072 1044 cmd.exe 93 PID 1044 wrote to memory of 1072 1044 cmd.exe 93 PID 1044 wrote to memory of 652 1044 cmd.exe 94 PID 1044 wrote to memory of 652 1044 cmd.exe 94 PID 1656 wrote to memory of 1844 1656 cmd.exe 95 PID 1656 wrote to memory of 1844 1656 cmd.exe 95 PID 1844 wrote to memory of 1480 1844 cmd.exe 96 PID 1844 wrote to memory of 1480 1844 cmd.exe 96 PID 1844 wrote to memory of 2744 1844 cmd.exe 97 PID 1844 wrote to memory of 2744 1844 cmd.exe 97 PID 1844 wrote to memory of 1896 1844 cmd.exe 98 PID 1844 wrote to memory of 1896 1844 cmd.exe 98 PID 1656 wrote to memory of 376 1656 cmd.exe 99 PID 1656 wrote to memory of 376 1656 cmd.exe 99
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bat.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hostname2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\HOSTNAME.EXEhostname3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption | findstr /r /v "^$"2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\system32\findstr.exefindstr /r /v "^$"3⤵PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get model | findstr /r /v "^$"2⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\system32\findstr.exefindstr /r /v "^$"3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get name | findstr /r /v "^$"2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:1072
-
-
C:\Windows\system32\findstr.exefindstr /r /v "^$"3⤵PID:652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr /i "IPv4" | findstr /r /v "^$"2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:1480
-
-
C:\Windows\system32\findstr.exefindstr /i "IPv4"3⤵PID:2744
-
-
C:\Windows\system32\findstr.exefindstr /r /v "^$"3⤵PID:1896
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command $systemInfo = @{2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82