Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    190s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/12/2023, 08:53

General

  • Target

    m.bat

  • Size

    3KB

  • MD5

    b206a5fc587c4b693d663a0a29dcde32

  • SHA1

    5037fd2e3e2ea80d82250a20a21ec49ad036d0cb

  • SHA256

    e879fb4a661e86f55c26d528961ffc8d19757094d1eab2d470156ceadd346b20

  • SHA512

    7b8d32aedcc137cadd71aae5ad49f6e9d1b4011ddf06bee9f14bc5cd8f4cffac38d196ff668d45bd52f94f5f89b1254f48b41aec81df4ee03765d567b5146db8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Opens file in notepad (likely ransom note) 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\m.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://media.discordapp.net/attachments/1171199057348263996/1171261368717037700/Jq9XNeo.jpg?ex=659ca2a7&is=658a2da7&hm=e584359e6d8774a5d4d4f23f6b5f2b20a2715bdcc056d11f5fe0c641e0d9fc15&
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8ac643cb8,0x7ff8ac643cc8,0x7ff8ac643cd8
        3⤵
          PID:2100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4276
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
          3⤵
            PID:2788
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
            3⤵
              PID:2732
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
              3⤵
                PID:1460
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                3⤵
                  PID:1616
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1164
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,10850718625094624875,17937247441675633478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3508
              • C:\Windows\system32\ipconfig.exe
                ipconfig /release
                2⤵
                • Gathers network information
                PID:4228
              • C:\Windows\system32\attrib.exe
                attrib +h C:\Users\Admin\AppData\Local\Temp\m.bat
                2⤵
                • Views/modifies file attributes
                PID:2424
              • C:\Windows\system32\attrib.exe
                attrib +h /s /d
                2⤵
                • Views/modifies file attributes
                PID:1396
              • C:\Windows\system32\cipher.exe
                cipher /e /s /a
                2⤵
                  PID:4192
                • C:\Windows\system32\attrib.exe
                  attrib +h /s /d
                  2⤵
                  • Views/modifies file attributes
                  PID:1508
                • C:\Windows\system32\cipher.exe
                  cipher /e /s /a
                  2⤵
                    PID:576
                  • C:\Windows\system32\attrib.exe
                    attrib +h /s /d
                    2⤵
                    • Views/modifies file attributes
                    PID:5088
                  • C:\Windows\system32\cipher.exe
                    cipher /e /s /a
                    2⤵
                      PID:3152
                    • C:\Windows\system32\attrib.exe
                      attrib +h /s /d
                      2⤵
                      • Views/modifies file attributes
                      PID:1028
                    • C:\Windows\system32\cipher.exe
                      cipher /e /s /a
                      2⤵
                        PID:2228
                      • C:\Windows\system32\attrib.exe
                        attrib +h /s /d
                        2⤵
                        • Views/modifies file attributes
                        PID:4044
                      • C:\Windows\system32\cipher.exe
                        cipher /e /s /a
                        2⤵
                          PID:3228
                        • C:\Windows\system32\attrib.exe
                          attrib +h /s /d
                          2⤵
                          • Views/modifies file attributes
                          PID:1660
                        • C:\Windows\system32\cipher.exe
                          cipher /e /s /a
                          2⤵
                            PID:3744
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2776
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1452
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LLC.txt
                              1⤵
                              • Opens file in notepad (likely ransom note)
                              PID:2164
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                              1⤵
                              • Suspicious use of SetWindowsHookEx
                              PID:3424
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LLC.txt
                              1⤵
                              • Opens file in notepad (likely ransom note)
                              PID:4068
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\how_to_decrypt.txt
                              1⤵
                              • Opens file in notepad (likely ransom note)
                              PID:2716
                            • C:\Windows\system32\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\how_to_avoid_these_attacks_in_the_future.txt
                              1⤵
                              • Opens file in notepad (likely ransom note)
                              PID:4428

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6b5c7ccc-ded5-4567-bd5d-b11686035630.tmp

                              Filesize

                              10KB

                              MD5

                              a49be4507f75620ebce0c9c7e92e8086

                              SHA1

                              2ec8ea5ca61d760aca4400d60e87a32174d01242

                              SHA256

                              311dc0cca111446d46f677774c8fa85d1fc99588794f4c4bb181f903316ba930

                              SHA512

                              0989b17d71a698ea74dbc99585fda4d1d41f0f13849ef364aa26bb9fb19c4de11efef7d2d31205d49ff8d98aba2426a06815eb644d27c46c382b3442c88b9f0a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              92e040d7c1eeb7646714b53e4a95eb91

                              SHA1

                              4eaae5706d13b5f0ca9f2e4c994cfca63890dd7d

                              SHA256

                              5342d5a6f08451e0f1c54f8e3658dd91eeba2be804f3582ddf8d6a4e2d0c6468

                              SHA512

                              e5b4c0ee79b7536679bf2e54f865f91b4957d4f66e498a026b88a6c14a13163f897f54baa9da747c1523eaf20d29cca960b8949a08a7b0ab9b0bbe92478a34f8

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              477B

                              MD5

                              453840742492637c9c66ecca0ad64448

                              SHA1

                              08b86c48b09947fd675321ec0405adc2c7989ffc

                              SHA256

                              af1caa86a388796704053428b781de08c69099b3fb70e8ff3d34733dbc1d98cd

                              SHA512

                              8eee201973bfd0ee2de1ecc81d47b6e526bdf23b22ab65fd22ea7963af27fd09c26be68953787d3328e65008abb74b06ccbefcd7cb4018f1519dda6a7e6b3e84

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              4KB

                              MD5

                              60a62b49cc67932149133c701f1852bb

                              SHA1

                              ea1cda8afd6ac0aba54af85e8a0a72ef15fb04ec

                              SHA256

                              f13d12f306c98cf8b432f36685bf366a1a11338e3d2d37ddebf1a859b119e256

                              SHA512

                              557b2a62c9edd88d611196a182ace619ca5c1b1ba6dca1b60297e6deb53f3ca06a879e13e8561c6ef66d5d9c1f39420471881ba6b3d99b1563af79ccd13964dd

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              c30f92f9ee9eb07ad864b2c35599c8c6

                              SHA1

                              719bbba7c20505380e258eac490b3a97b747e5f3

                              SHA256

                              c28864cca32483ccee649bb2345dcd4884b9e07b60f62dbee86a527fbc514787

                              SHA512

                              d265209436061cfeb7b1c4c377be531d6bebfbd6f8047eff0a54f361a24f26c880897515a084567fda46ca96250a96f7025b91b3b9ebf95021acc672592dd5e3

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              22cb763dc4cc8e48f1e48797c2648a54

                              SHA1

                              d0d6ea5f78cdadc36eede6cd306dbce5db55b6f9

                              SHA256

                              5c5b34d18c942c28949539568ac07afe481a30d8d7ba4346984b2a7919afa753

                              SHA512

                              c0184b6fa4db87c6791c1f51dfeb5d71a6de6b7581afdae42776a2175eac70e341eaf0ca79e796005bfd909e691f8789fdd39cb14f5ce733854de9676b9e0a01

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              efd8cfc1da63ea5de5ce4df40e424be1

                              SHA1

                              905116fe865c12315a83554b26088874454a368c

                              SHA256

                              ab58069110db7056db90da56127f32beb42b89c7add5d5d8ed2b677bb647f89f

                              SHA512

                              d6647e9712cc00e4f830a0e1ad0b7cb27d4e67e475f7a0f0e8e85b9c5b7ed07512d0cbca12673b241a82256e6253a511bebeefb9c24df97897455899f72ddb02

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                              Filesize

                              25KB

                              MD5

                              58e2b179dbb10d049fe23616966bfb2a

                              SHA1

                              b4f722b7e798fb6347837b51b05a4314a8219d84

                              SHA256

                              cb934e662ce5441a1fec40f63ddb8b828d7cf0f4a532712907064b377d2777c4

                              SHA512

                              ef3fbdd259151b0695369fae632106d190d2b9ac20b9854c5d2c23359ffde9469ea1736e7079264fd739ef3a214ac6ac8dbb9ab6c49184e5b5ebf9b8341c0c9b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              d476092b4e8c18e9cd8f7ced293ff25f

                              SHA1

                              cec881b134140933fd9a538c8c832982c4e3d7e3

                              SHA256

                              c856e5d4f406ea2f90bf7efbd453cad3b44b28b09550038e62c1367cb34bf624

                              SHA512

                              b962adc1435b2e0f0ef9abbb3f6769094b26f7c8a9678a8491fb1e6ed85f5ecb68b5e5530fa89c9038fc76e24f2cb5cba999bf19f37728863696fa3b8c65f51a

                            • C:\Users\Admin\Desktop\LLC.txt

                              Filesize

                              142B

                              MD5

                              2d4496d89c273c317a6cbe9d56c08550

                              SHA1

                              6b7e4abc4a50d72f437985a856ee13d10e729746

                              SHA256

                              c1a4e82f1981b6efc1efd055a3ad16bd16a7487181039cbefb65a9345348a97c

                              SHA512

                              69e78574356a5a37baeba9452d30d58a05386a59320dc0e2e9343ab03bf472f1ad0e30253069120a827ca1878e4ddb18dc6a049866c17141f3ad897d7fcdb801

                            • C:\Users\Admin\Desktop\how_to_avoid_these_attacks_in_the_future.txt

                              Filesize

                              55B

                              MD5

                              953099767889ac17f2ecc00fe97f667e

                              SHA1

                              b11b8f5cd36acfd3b2223ef9ac3ffce3c9a6ea66

                              SHA256

                              5d481979be790f7678c0fb7f737c91fe0c698b23f6c74e2abe71bce59bacafd1

                              SHA512

                              bb7454e29d3d72fc60e5d6d84def8ae7116eab8b021e9c60df21f1030aedd0be34f3afb6d5e064ecfdfd29565ec57aa8be6a361316d05ece4b9bfbabae0e522c

                            • C:\Users\Admin\Desktop\how_to_decrypt.txt

                              Filesize

                              76B

                              MD5

                              84e276ec3fc1ee98759e044c117a64c9

                              SHA1

                              a53d3662afbbb60aa777f3f44d718d6ae2a8a5bc

                              SHA256

                              1ebd32c76e1ff5b9d6d56b1475e651799f5011c7ae387b92b67407a06115b35d

                              SHA512

                              2c08179c16921eae2695f342c471d9a60b5db6f6b25f48ac6fb718c054c1bc9c5362d63138b685ddf2a1d24eecd52ab0739c76a11d7604dc12a6c1cc05d88e4d

                            • C:\Users\Admin\Desktop\why_you_were_targeted.txt

                              Filesize

                              192B

                              MD5

                              3f2f995c59e304139076ba8c14e7409b

                              SHA1

                              c14bb35672be17fed793cf93095974099ced10b3

                              SHA256

                              fc932254d557b8ef81005715879ac3136cc2222f334f0e7353d76d38c6ee69f4

                              SHA512

                              38a3ebb0fba43fe8ba75ca4232426d701efc86f3c4ccaf0a5db0838cea70a67ceb3071dcce4dc8cd354095d3d17bbb797edbf71478cb515e4fe34d3d16ae7eff

                            • C:\Users\Admin\Downloads\do not close.txt

                              Filesize

                              132B

                              MD5

                              460791485d870c39dc5273ea2ddfc119

                              SHA1

                              a247fb46e29831ebea2c4984061a1c80ed67295f

                              SHA256

                              257ea28c54cdb0fea4cb56dd97067978cde53585872fe22eb6f152d20bff1251

                              SHA512

                              e64ef367731ba22232fb1112aeafc0f2098a05321098f481d45e6e10b74ff645ed644c8c511e5cfafcf16e0da9c91c2641ed5aa8f6fbb36a43445d013f0e3e52