Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
BakerBoostApp.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
BakerBoostApp.msi
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
setup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Пак/Специальн. твики/1_Activator.bat
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Пак/Специальн. твики/1_Activator.bat
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Пак/Специальн. твики/Network_Tweaks.bat
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Пак/Специальн. твики/Network_Tweaks.bat
Resource
win10v2004-20231215-en
General
-
Target
Пак/Специальн. твики/Network_Tweaks.bat
-
Size
3KB
-
MD5
257c9ccd5fa59498dbfcf75b07f30a73
-
SHA1
cd333e7847a91200d7281bc6d14f864908b1acfd
-
SHA256
d0a0f15415723601124794ccf93271fb5fac14b7c00c160dbddb7794968e802f
-
SHA512
26ebdc68c18a3006972030e32b05b69a9d949e10a312833818749aa109065f359a5eb5346d8ffe6c99dc3fc98f55aa7d384247d3e9fd3166605bbe901e4033f7
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 708 powershell.exe 708 powershell.exe 2720 powershell.exe 2720 powershell.exe 4352 powershell.exe 4352 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 708 powershell.exe Token: SeIncreaseQuotaPrivilege 708 powershell.exe Token: SeSecurityPrivilege 708 powershell.exe Token: SeTakeOwnershipPrivilege 708 powershell.exe Token: SeLoadDriverPrivilege 708 powershell.exe Token: SeSystemProfilePrivilege 708 powershell.exe Token: SeSystemtimePrivilege 708 powershell.exe Token: SeProfSingleProcessPrivilege 708 powershell.exe Token: SeIncBasePriorityPrivilege 708 powershell.exe Token: SeCreatePagefilePrivilege 708 powershell.exe Token: SeBackupPrivilege 708 powershell.exe Token: SeRestorePrivilege 708 powershell.exe Token: SeShutdownPrivilege 708 powershell.exe Token: SeDebugPrivilege 708 powershell.exe Token: SeSystemEnvironmentPrivilege 708 powershell.exe Token: SeRemoteShutdownPrivilege 708 powershell.exe Token: SeUndockPrivilege 708 powershell.exe Token: SeManageVolumePrivilege 708 powershell.exe Token: 33 708 powershell.exe Token: 34 708 powershell.exe Token: 35 708 powershell.exe Token: 36 708 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeIncreaseQuotaPrivilege 2720 powershell.exe Token: SeSecurityPrivilege 2720 powershell.exe Token: SeTakeOwnershipPrivilege 2720 powershell.exe Token: SeLoadDriverPrivilege 2720 powershell.exe Token: SeSystemProfilePrivilege 2720 powershell.exe Token: SeSystemtimePrivilege 2720 powershell.exe Token: SeProfSingleProcessPrivilege 2720 powershell.exe Token: SeIncBasePriorityPrivilege 2720 powershell.exe Token: SeCreatePagefilePrivilege 2720 powershell.exe Token: SeBackupPrivilege 2720 powershell.exe Token: SeRestorePrivilege 2720 powershell.exe Token: SeShutdownPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeSystemEnvironmentPrivilege 2720 powershell.exe Token: SeRemoteShutdownPrivilege 2720 powershell.exe Token: SeUndockPrivilege 2720 powershell.exe Token: SeManageVolumePrivilege 2720 powershell.exe Token: 33 2720 powershell.exe Token: 34 2720 powershell.exe Token: 35 2720 powershell.exe Token: 36 2720 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeIncreaseQuotaPrivilege 4352 powershell.exe Token: SeSecurityPrivilege 4352 powershell.exe Token: SeTakeOwnershipPrivilege 4352 powershell.exe Token: SeLoadDriverPrivilege 4352 powershell.exe Token: SeSystemProfilePrivilege 4352 powershell.exe Token: SeSystemtimePrivilege 4352 powershell.exe Token: SeProfSingleProcessPrivilege 4352 powershell.exe Token: SeIncBasePriorityPrivilege 4352 powershell.exe Token: SeCreatePagefilePrivilege 4352 powershell.exe Token: SeBackupPrivilege 4352 powershell.exe Token: SeRestorePrivilege 4352 powershell.exe Token: SeShutdownPrivilege 4352 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeSystemEnvironmentPrivilege 4352 powershell.exe Token: SeRemoteShutdownPrivilege 4352 powershell.exe Token: SeUndockPrivilege 4352 powershell.exe Token: SeManageVolumePrivilege 4352 powershell.exe Token: 33 4352 powershell.exe Token: 34 4352 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 4960 4944 cmd.exe 92 PID 4944 wrote to memory of 4960 4944 cmd.exe 92 PID 4944 wrote to memory of 2824 4944 cmd.exe 97 PID 4944 wrote to memory of 2824 4944 cmd.exe 97 PID 4944 wrote to memory of 4820 4944 cmd.exe 98 PID 4944 wrote to memory of 4820 4944 cmd.exe 98 PID 4944 wrote to memory of 5112 4944 cmd.exe 99 PID 4944 wrote to memory of 5112 4944 cmd.exe 99 PID 4944 wrote to memory of 4460 4944 cmd.exe 100 PID 4944 wrote to memory of 4460 4944 cmd.exe 100 PID 4944 wrote to memory of 1164 4944 cmd.exe 101 PID 4944 wrote to memory of 1164 4944 cmd.exe 101 PID 4944 wrote to memory of 4184 4944 cmd.exe 102 PID 4944 wrote to memory of 4184 4944 cmd.exe 102 PID 4944 wrote to memory of 3972 4944 cmd.exe 103 PID 4944 wrote to memory of 3972 4944 cmd.exe 103 PID 4944 wrote to memory of 3380 4944 cmd.exe 104 PID 4944 wrote to memory of 3380 4944 cmd.exe 104 PID 4944 wrote to memory of 832 4944 cmd.exe 105 PID 4944 wrote to memory of 832 4944 cmd.exe 105 PID 4944 wrote to memory of 4692 4944 cmd.exe 106 PID 4944 wrote to memory of 4692 4944 cmd.exe 106 PID 4944 wrote to memory of 3264 4944 cmd.exe 107 PID 4944 wrote to memory of 3264 4944 cmd.exe 107 PID 4944 wrote to memory of 3812 4944 cmd.exe 108 PID 4944 wrote to memory of 3812 4944 cmd.exe 108 PID 4944 wrote to memory of 3996 4944 cmd.exe 109 PID 4944 wrote to memory of 3996 4944 cmd.exe 109 PID 4944 wrote to memory of 708 4944 cmd.exe 110 PID 4944 wrote to memory of 708 4944 cmd.exe 110 PID 4944 wrote to memory of 2720 4944 cmd.exe 112 PID 4944 wrote to memory of 2720 4944 cmd.exe 112 PID 4944 wrote to memory of 4352 4944 cmd.exe 114 PID 4944 wrote to memory of 4352 4944 cmd.exe 114 PID 4944 wrote to memory of 3280 4944 cmd.exe 115 PID 4944 wrote to memory of 3280 4944 cmd.exe 115 PID 4944 wrote to memory of 4372 4944 cmd.exe 116 PID 4944 wrote to memory of 4372 4944 cmd.exe 116 PID 4944 wrote to memory of 3136 4944 cmd.exe 117 PID 4944 wrote to memory of 3136 4944 cmd.exe 117 PID 4944 wrote to memory of 5012 4944 cmd.exe 119 PID 4944 wrote to memory of 5012 4944 cmd.exe 119 PID 4944 wrote to memory of 4200 4944 cmd.exe 118 PID 4944 wrote to memory of 4200 4944 cmd.exe 118 PID 4944 wrote to memory of 1764 4944 cmd.exe 122 PID 4944 wrote to memory of 1764 4944 cmd.exe 122 PID 4944 wrote to memory of 4876 4944 cmd.exe 120 PID 4944 wrote to memory of 4876 4944 cmd.exe 120 PID 4944 wrote to memory of 1204 4944 cmd.exe 121 PID 4944 wrote to memory of 1204 4944 cmd.exe 121 PID 4944 wrote to memory of 2344 4944 cmd.exe 124 PID 4944 wrote to memory of 2344 4944 cmd.exe 124 PID 4944 wrote to memory of 4112 4944 cmd.exe 123 PID 4944 wrote to memory of 4112 4944 cmd.exe 123 PID 4944 wrote to memory of 2000 4944 cmd.exe 125 PID 4944 wrote to memory of 2000 4944 cmd.exe 125 PID 4944 wrote to memory of 1516 4944 cmd.exe 126 PID 4944 wrote to memory of 1516 4944 cmd.exe 126 PID 4944 wrote to memory of 3348 4944 cmd.exe 127 PID 4944 wrote to memory of 3348 4944 cmd.exe 127 PID 4944 wrote to memory of 1164 4944 cmd.exe 128 PID 4944 wrote to memory of 1164 4944 cmd.exe 128 PID 4944 wrote to memory of 3788 4944 cmd.exe 130 PID 4944 wrote to memory of 3788 4944 cmd.exe 130
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Пак\Специальн. твики\Network_Tweaks.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=disabled2⤵PID:4960
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled2⤵PID:2824
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global dca=enabled2⤵PID:4820
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled2⤵PID:5112
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=disabled2⤵PID:4460
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enabled2⤵PID:1164
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global timestamps=disabled2⤵PID:4184
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global initialRto=20002⤵PID:3972
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled2⤵PID:3380
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global maxsynretransmissions=22⤵PID:832
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled2⤵PID:4692
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security profiles=disabled2⤵PID:3264
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled2⤵PID:3812
-
-
C:\Windows\system32\netsh.exenetsh int ip set global neighborcachelimit=40962⤵PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-NetTCPSetting -SettingName InternetCustom -MinRto 300"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-NetTCPSetting -SettingName InternetCustom -InitialCongestionWindow 10"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-NetOffloadGlobalSetting -Chimney Disabled"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f2⤵PID:3280
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "1" /f2⤵PID:4372
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f2⤵PID:3136
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f2⤵PID:4200
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f2⤵PID:5012
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "UseDelayedAcceptance" /t REG_DWORD /d "0" /f2⤵PID:4876
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MaxSockAddrLength" /t REG_DWORD /d "16" /f2⤵PID:1204
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "30" /f2⤵PID:1764
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f2⤵PID:4112
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock" /v "MinSockAddrLength" /t REG_DWORD /d "16" /f2⤵PID:2344
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f2⤵PID:2000
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f2⤵PID:1516
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f2⤵PID:3348
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:3116
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:3648
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵PID:1344
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DoNotHoldNicBuffers" /t REG_DWORD /d "1" /f2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:3580
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:3016
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵PID:2620
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f2⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:5052
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:1684
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵PID:4496
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f2⤵PID:4692
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDAA39D1-9B2E-4E7B-9FFC-82494222D560}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f2⤵PID:1512
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56103fe5d5027cab041f301df51eac4c4
SHA1c657565a144127c840a918019386d0215fd8c344
SHA256417c4cb2b29babf944e6c41ea1b362908782127c5894ef0fe3372abc855fbfd3
SHA5126a2ec9fb27a748a8de37064cca4464dbe2758b0711e6622c8ff6f2dccd8b332d933abc8014dfe22e0a86659211fc7c394d9ccbf965d1f253e4cf59ebb290d9cd
-
Filesize
1KB
MD58ff6ca6c8af16c7c43be05954f5fe433
SHA186fee6a5ce41340f80d9ee7106f79b40c4a8fba4
SHA256b09faf9f77172902efb437763be280eeb1e461f3e484de4cafa43acb5aced7cb
SHA5126737e7e23b65ab1b4a6760882c12fccb18b4596402a8bfb428790e42cba4062e57a661b7111aae493ed2509deca57c06d16ee4643c4cd4195786786bda898e73
-
Filesize
1KB
MD51a8c7052d0ceb101afa3a8164ecfb3c6
SHA11e5a09e16e6d45401910dd4afb09edfed0233469
SHA256eea7d90996add012a77d3f99b6fc59faed70e59f9bd3bb70c3342000bd802085
SHA512c749a048e3dfbc52bb57c65a3eeb25831d3e6c5f7c2027afb71008cf8acdaaf3af2720d34469f0ea7d977408eee0139b0734ac5ea399a35bca3896c2a0e87dcc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82