Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1369s -
max time network
1163s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 03:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
sss/Driver.sys
Resource
win10v2004-20241007-en
0 signatures
1800 seconds
Behavioral task
behavioral2
Sample
sss/kitty.cc checkers.bat
Resource
win10v2004-20241007-en
2 signatures
1800 seconds
Behavioral task
behavioral3
Sample
sss/kitty.cc temp free.exe
Resource
win10v2004-20241007-en
4 signatures
1800 seconds
General
-
Target
sss/kitty.cc checkers.bat
-
Size
833B
-
MD5
76f2916842fa2b9cf80a206374b62d88
-
SHA1
c04a8f8db6388dad5e3c7e3edbbe9467e46cdd48
-
SHA256
59a907b93585ff90f7c69e4eddde938b8005807fe16a5a45b56820e28e07edcd
-
SHA512
5e0ffbc4e939568237d27c53e60eed88de8474b0d6ae9e767e66e8858cd3de7467f2b48b29a02a2a1b2e8922ed4bb4eb300632796ea39e531037f194ffac7eba
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeSecurityPrivilege 1728 WMIC.exe Token: SeTakeOwnershipPrivilege 1728 WMIC.exe Token: SeLoadDriverPrivilege 1728 WMIC.exe Token: SeSystemProfilePrivilege 1728 WMIC.exe Token: SeSystemtimePrivilege 1728 WMIC.exe Token: SeProfSingleProcessPrivilege 1728 WMIC.exe Token: SeIncBasePriorityPrivilege 1728 WMIC.exe Token: SeCreatePagefilePrivilege 1728 WMIC.exe Token: SeBackupPrivilege 1728 WMIC.exe Token: SeRestorePrivilege 1728 WMIC.exe Token: SeShutdownPrivilege 1728 WMIC.exe Token: SeDebugPrivilege 1728 WMIC.exe Token: SeSystemEnvironmentPrivilege 1728 WMIC.exe Token: SeRemoteShutdownPrivilege 1728 WMIC.exe Token: SeUndockPrivilege 1728 WMIC.exe Token: SeManageVolumePrivilege 1728 WMIC.exe Token: 33 1728 WMIC.exe Token: 34 1728 WMIC.exe Token: 35 1728 WMIC.exe Token: 36 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeSecurityPrivilege 1728 WMIC.exe Token: SeTakeOwnershipPrivilege 1728 WMIC.exe Token: SeLoadDriverPrivilege 1728 WMIC.exe Token: SeSystemProfilePrivilege 1728 WMIC.exe Token: SeSystemtimePrivilege 1728 WMIC.exe Token: SeProfSingleProcessPrivilege 1728 WMIC.exe Token: SeIncBasePriorityPrivilege 1728 WMIC.exe Token: SeCreatePagefilePrivilege 1728 WMIC.exe Token: SeBackupPrivilege 1728 WMIC.exe Token: SeRestorePrivilege 1728 WMIC.exe Token: SeShutdownPrivilege 1728 WMIC.exe Token: SeDebugPrivilege 1728 WMIC.exe Token: SeSystemEnvironmentPrivilege 1728 WMIC.exe Token: SeRemoteShutdownPrivilege 1728 WMIC.exe Token: SeUndockPrivilege 1728 WMIC.exe Token: SeManageVolumePrivilege 1728 WMIC.exe Token: 33 1728 WMIC.exe Token: 34 1728 WMIC.exe Token: 35 1728 WMIC.exe Token: 36 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: 36 1940 WMIC.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5036 wrote to memory of 2176 5036 cmd.exe 84 PID 5036 wrote to memory of 2176 5036 cmd.exe 84 PID 5036 wrote to memory of 1728 5036 cmd.exe 86 PID 5036 wrote to memory of 1728 5036 cmd.exe 86 PID 5036 wrote to memory of 1940 5036 cmd.exe 88 PID 5036 wrote to memory of 1940 5036 cmd.exe 88 PID 5036 wrote to memory of 3924 5036 cmd.exe 89 PID 5036 wrote to memory of 3924 5036 cmd.exe 89 PID 5036 wrote to memory of 3932 5036 cmd.exe 91 PID 5036 wrote to memory of 3932 5036 cmd.exe 91 PID 5036 wrote to memory of 3544 5036 cmd.exe 93 PID 5036 wrote to memory of 3544 5036 cmd.exe 93 PID 5036 wrote to memory of 1132 5036 cmd.exe 94 PID 5036 wrote to memory of 1132 5036 cmd.exe 94 PID 5036 wrote to memory of 1652 5036 cmd.exe 95 PID 5036 wrote to memory of 1652 5036 cmd.exe 95 PID 5036 wrote to memory of 2724 5036 cmd.exe 96 PID 5036 wrote to memory of 2724 5036 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sss\kitty.cc checkers.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\mode.commode con: cols=180 lines=622⤵PID:2176
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid2⤵PID:3924
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Description,PNPDeviceID2⤵PID:3932
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵PID:3544
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid2⤵PID:1132
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid2⤵PID:1652
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress2⤵PID:2724
-