5a597c9eea792f7ce5a15c04de07e8e23871cca7d46b0f5dab5027a203820ab2 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

gpedit-enabler.bat

windows10-1703-x64

7

gpedit-enabler.bat

windows11-21h2-x64

Sharing

General

Target

gpedit-enabler.bat
Size

379B
Sample

240919-aas3dszfja
MD5

ed31a523aac1905a95c1a2fdf9ba6d00
SHA1

3dc0c844bf799cd97d286a8f0961d58648934754
SHA256

5a597c9eea792f7ce5a15c04de07e8e23871cca7d46b0f5dab5027a203820ab2
SHA512

92fd810a6bdf3f98e170f5aed865acf323ce2a14b93981a8b0251727a28eeefd74e846c98d6e6ce3cb9bf3363b350c5310ab7148bb1f8f80c452c700dd23d1f8

Score

10^/10

defense_evasion discovery execution persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

gpedit-enabler.bat

Resource

win10-20240404-en

windows10-1703-x64

5 signatures

1800 seconds

Behavioral task

behavioral2

Sample

gpedit-enabler.bat

Resource

win11-20240802-en

defense_evasion discovery execution persistence privilege_escalation

windows11-21h2-x64

32 signatures

1800 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sdffrssertr12.ucoz.net/av.ps1

Targets

- Target
  
  gpedit-enabler.bat
- Size
  
  379B
- MD5
  
  ed31a523aac1905a95c1a2fdf9ba6d00
- SHA1
  
  3dc0c844bf799cd97d286a8f0961d58648934754
- SHA256
  
  5a597c9eea792f7ce5a15c04de07e8e23871cca7d46b0f5dab5027a203820ab2
- SHA512
  
  92fd810a6bdf3f98e170f5aed865acf323ce2a14b93981a8b0251727a28eeefd74e846c98d6e6ce3cb9bf3363b350c5310ab7148bb1f8f80c452c700dd23d1f8
Score

10^/10

defense_evasion discovery execution persistence privilege_escalation
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Accessibility Features

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Accessibility Features

Component Object Model Hijacking

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

© 2018-2025

Terms | Privacy