Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
1Static
static
1Malware-ma...et.bat
windows7-x64
1Malware-ma...et.bat
windows10-2004-x64
1Malware-ma...ME.ps1
windows7-x64
1Malware-ma...ME.ps1
windows10-2004-x64
1Malware-ma...ns.bat
windows7-x64
1Malware-ma...ns.bat
windows10-2004-x64
1Malware-ma...pc.bat
windows7-x64
Malware-ma...pc.bat
windows10-2004-x64
Malware-ma...wn.bat
windows7-x64
1Malware-ma...wn.bat
windows10-2004-x64
1Analysis
-
max time kernel
10s -
max time network
10s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 22:41
Static task
static1
Behavioral task
behavioral1
Sample
Malware-master/Disablenet.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Malware-master/Disablenet.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Malware-master/README.ps1
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
Malware-master/README.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Malware-master/Shutdowns.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Malware-master/Shutdowns.bat
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Malware-master/crashespc.bat
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Malware-master/crashespc.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Malware-master/system_meltdown.bat
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Malware-master/system_meltdown.bat
Resource
win10v2004-20240226-en
Errors
General
-
Target
Malware-master/crashespc.bat
-
Size
278B
-
MD5
8e2220e4552a3ed322c0b542e8641ad7
-
SHA1
2d0c40f092d0264b864876c82fce71df4a9cdf1e
-
SHA256
d0675ccdf06d1360fd6193bd583e2b6e06888e882e1f9b21430b5328f7c7a4f6
-
SHA512
2a9e9f35b55a41bb65e914d43fdfb1576d46098abc9b1c35e29f03b1a4d3df89212c1181322e8422f0ad1055483ec4204e25728641012f8a52d30ea9c77cdc05
Malware Config
Signatures
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 4684 shutdown.exe Token: SeRemoteShutdownPrivilege 4684 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2084 LogonUI.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2128 wrote to memory of 3788 2128 cmd.exe 86 PID 2128 wrote to memory of 3788 2128 cmd.exe 86 PID 2128 wrote to memory of 2716 2128 cmd.exe 87 PID 2128 wrote to memory of 2716 2128 cmd.exe 87 PID 2128 wrote to memory of 3232 2128 cmd.exe 88 PID 2128 wrote to memory of 3232 2128 cmd.exe 88 PID 2128 wrote to memory of 1936 2128 cmd.exe 89 PID 2128 wrote to memory of 1936 2128 cmd.exe 89 PID 2128 wrote to memory of 1628 2128 cmd.exe 90 PID 2128 wrote to memory of 1628 2128 cmd.exe 90 PID 2128 wrote to memory of 4684 2128 cmd.exe 91 PID 2128 wrote to memory of 4684 2128 cmd.exe 91 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 3788 attrib.exe 2716 attrib.exe 3232 attrib.exe 1936 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Malware-master\crashespc.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\attrib.exeattrib -r -s -h c:autoexec.bat2⤵
- Views/modifies file attributes
PID:3788
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:boot.ini2⤵
- Views/modifies file attributes
PID:2716
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:ntldr2⤵
- Views/modifies file attributes
PID:3232
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:windowswin.ini2⤵
- Views/modifies file attributes
PID:1936
-
-
C:\Windows\system32\msg.exemsg * YOU GOT OWNED!!!2⤵PID:1628
-
-
C:\Windows\system32\shutdown.exeshutdown -s -t 7 -c "A VIRUS IS TAKING OVER c:Drive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa398f855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2084