Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10AutoSettin...ck.bat
windows7-x64
7AutoSettin...ck.bat
windows10-2004-x64
7AutoSettin...ck.bat
windows7-x64
7AutoSettin...ck.bat
windows10-2004-x64
7AutoSettin...cs.bat
windows7-x64
7AutoSettin...cs.bat
windows10-2004-x64
7AutoSettin...rs.bat
windows7-x64
7AutoSettin...rs.bat
windows10-2004-x64
7AutoSettin...gs.bat
windows7-x64
1AutoSettin...gs.bat
windows10-2004-x64
1AutoSettin...7z.dll
windows7-x64
3AutoSettin...7z.dll
windows10-2004-x64
3AutoSettin...7z.exe
windows7-x64
1AutoSettin...7z.exe
windows10-2004-x64
1AutoSettin...er.exe
windows7-x64
1AutoSettin...er.exe
windows10-2004-x64
1AutoSettin...le.exe
windows7-x64
7AutoSettin...le.exe
windows10-2004-x64
7AutoSettin...PO.exe
windows7-x64
1AutoSettin...PO.exe
windows10-2004-x64
1AutoSettin...64.exe
windows7-x64
3AutoSettin...64.exe
windows10-2004-x64
3AutoSettin...86.exe
windows7-x64
7AutoSettin...86.exe
windows10-2004-x64
7AutoSettin...64.exe
windows7-x64
1AutoSettin...64.exe
windows10-2004-x64
1AutoSettin...86.exe
windows7-x64
1AutoSettin...86.exe
windows10-2004-x64
1AutoSettin...ks.ps1
windows7-x64
1AutoSettin...ks.ps1
windows10-2004-x64
1AutoSettin...ho.exe
windows7-x64
7AutoSettin...ho.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 03:51
Behavioral task
behavioral1
Sample
AutoSettings/Check.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
AutoSettings/Check.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AutoSettings/Disable_NumLock.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
AutoSettings/Disable_NumLock.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
AutoSettings/Enable_Biometrics.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
AutoSettings/Enable_Biometrics.bat
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
AutoSettings/Enable_Sensors.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
AutoSettings/Enable_Sensors.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
AutoSettings/Files/MySettings.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
AutoSettings/Files/MySettings.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
AutoSettings/Files/Tools/7z.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
AutoSettings/Files/Tools/7z.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
AutoSettings/Files/Tools/7z.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
AutoSettings/Files/Tools/7z.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
AutoSettings/Files/Tools/ExitExplorer.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
AutoSettings/Files/Tools/ExitExplorer.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
AutoSettings/Files/Tools/Handle.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
AutoSettings/Files/Tools/Handle.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
AutoSettings/Files/Tools/LGPO.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
AutoSettings/Files/Tools/LGPO.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
AutoSettings/Files/Tools/RunFromToken_x64.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
AutoSettings/Files/Tools/RunFromToken_x64.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
AutoSettings/Files/Tools/RunFromToken_x86.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
AutoSettings/Files/Tools/RunFromToken_x86.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
AutoSettings/Files/Tools/SetACLx64.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
AutoSettings/Files/Tools/SetACLx64.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
AutoSettings/Files/Tools/SetACLx86.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
AutoSettings/Files/Tools/SetACLx86.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
AutoSettings/Files/Tools/ViewMyDisks.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
AutoSettings/Files/Tools/ViewMyDisks.ps1
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
AutoSettings/Files/Tools/cecho.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral32
Sample
AutoSettings/Files/Tools/cecho.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
AutoSettings/Disable_NumLock.bat
-
Size
1KB
-
MD5
a89fe1724241c3e26f242c4f60a1cef6
-
SHA1
a350cc504eec2b7351d436c59ae7405a3b8e9785
-
SHA256
903408ca653d38c982459e46d80bc2ac0f9774c2ec6e6066218960854d1a7e37
-
SHA512
1757db7507600e04ee93f24155470c3cffedc5c0b08af196c3b38a8292865cd6435774ed71684f07fa0aa16e2b803a5ded9a271e5f028a50fb3a2e24f2602a96
Malware Config
Signatures
-
resource yara_rule behavioral4/memory/3088-0-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral4/memory/3088-1-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral4/memory/1588-2-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral4/memory/1460-3-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648" reg.exe Key created \REGISTRY\USER\S-1-5-19\Control Panel\Keyboard reg.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Keyboard\InitialKeyboardIndicators = "2147483648" reg.exe Key created \REGISTRY\USER\S-1-5-20\Control Panel\Keyboard reg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1772 wrote to memory of 4740 1772 cmd.exe 14 PID 1772 wrote to memory of 4740 1772 cmd.exe 14 PID 1772 wrote to memory of 4952 1772 cmd.exe 15 PID 1772 wrote to memory of 4952 1772 cmd.exe 15 PID 1772 wrote to memory of 3088 1772 cmd.exe 17 PID 1772 wrote to memory of 3088 1772 cmd.exe 17 PID 1772 wrote to memory of 3088 1772 cmd.exe 17 PID 1772 wrote to memory of 1672 1772 cmd.exe 65 PID 1772 wrote to memory of 1672 1772 cmd.exe 65 PID 1772 wrote to memory of 748 1772 cmd.exe 72 PID 1772 wrote to memory of 748 1772 cmd.exe 72 PID 1772 wrote to memory of 4248 1772 cmd.exe 71 PID 1772 wrote to memory of 4248 1772 cmd.exe 71 PID 1772 wrote to memory of 2304 1772 cmd.exe 70 PID 1772 wrote to memory of 2304 1772 cmd.exe 70 PID 1772 wrote to memory of 4640 1772 cmd.exe 69 PID 1772 wrote to memory of 4640 1772 cmd.exe 69 PID 1772 wrote to memory of 1588 1772 cmd.exe 68 PID 1772 wrote to memory of 1588 1772 cmd.exe 68 PID 1772 wrote to memory of 1588 1772 cmd.exe 68 PID 1772 wrote to memory of 1460 1772 cmd.exe 67 PID 1772 wrote to memory of 1460 1772 cmd.exe 67 PID 1772 wrote to memory of 1460 1772 cmd.exe 67
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AutoSettings\Disable_NumLock.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4740
-
-
C:\Windows\system32\reg.exereg query "HKU\S-1-5-19\Environment"2⤵PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0b} --- Выключаем "NumLock" у всех, в том числе на Логин-Скрине (по умолчанию) --- {\n #}2⤵PID:3088
-
-
C:\Windows\system32\reg.exereg add "HKEY_USERS\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f2⤵
- Modifies data under HKEY_USERS
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Перезагрузите компьютер!!! {\n #}2⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe"C:\Users\Admin\AppData\Local\Temp\AUTOSE~1\Files\Tools\cecho.exe" {0a}Исправление выполнено {\n #}2⤵PID:1588
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f2⤵PID:4640
-
-
C:\Windows\system32\reg.exereg add "HKEY_USERS\S-1-5-20\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f2⤵
- Modifies data under HKEY_USERS
PID:2304
-
-
C:\Windows\system32\reg.exereg add "HKEY_USERS\S-1-5-19\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f2⤵
- Modifies data under HKEY_USERS
PID:4248
-
-
C:\Windows\system32\reg.exereg add "HKEY_USERS\S-1-5-18\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d 2147483648 /f2⤵
- Modifies data under HKEY_USERS
PID:748
-