Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    49s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    27/04/2024, 19:08

General

  • Target

    SCRIPT FREEZE IDM TIME.cmd

  • Size

    31KB

  • MD5

    cd219449e7472b4e6f35c612824635bd

  • SHA1

    f6db923ee2dbb3ae2ade5e0511533506962a689b

  • SHA256

    87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944

  • SHA512

    fa92d80645c1bc6ff55238322ce69144b4550aa6256efe3c334c0c343a937185a9ce18a1ad4c8e55e5ac42e6d937582738441d443f01f4a0590d64ac1453ec55

  • SSDEEP

    384:mNnhCo3piIUTUq5rrfmJbnl7+qK14TEJYab:mNn/ZiBAq5rrfmFl7G4gJYab

Score
4/10

Malware Config

Signatures

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\sc.exe
      sc query Null
      2⤵
      • Launches sc.exe
      PID:1708
    • C:\Windows\System32\find.exe
      find /i "RUNNING"
      2⤵
        PID:2252
      • C:\Windows\System32\findstr.exe
        findstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"
        2⤵
          PID:3064
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          2⤵
            PID:2240
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "
            2⤵
              PID:2260
            • C:\Windows\System32\find.exe
              find /i "C:\Users\Admin\AppData\Local\Temp"
              2⤵
                PID:2148
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2996
              • C:\Windows\System32\find.exe
                find /i "FullLanguage"
                2⤵
                  PID:2848
                • C:\Windows\System32\fltMC.exe
                  fltmc
                  2⤵
                    PID:2688
                  • C:\Windows\System32\reg.exe
                    reg query HKCU\Console /v QuickEdit
                    2⤵
                    • Modifies registry key
                    PID:2924
                  • C:\Windows\System32\find.exe
                    find /i "0x0"
                    2⤵
                      PID:2660
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2544
                      • C:\Windows\System32\PING.EXE
                        ping -4 -n 1 iasupdatecheck.massgrave.dev
                        3⤵
                        • Runs ping.exe
                        PID:2104
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2672
                    • C:\Windows\System32\find.exe
                      find /i "computersystem"
                      2⤵
                        PID:2708
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2028
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2524
                      • C:\Windows\System32\reg.exe
                        reg query HKU\\Software
                        2⤵
                          PID:2900
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3000
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1292
                        • C:\Windows\System32\reg.exe
                          reg query HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software
                          2⤵
                            PID:2500
                          • C:\Windows\System32\reg.exe
                            reg delete HKCU\IAS_TEST /f
                            2⤵
                            • Modifies registry key
                            PID:2000
                          • C:\Windows\System32\reg.exe
                            reg delete HKU\S-1-5-21-481678230-3773327859-3495911762-1000\IAS_TEST /f
                            2⤵
                              PID:1812
                            • C:\Windows\System32\reg.exe
                              reg add HKCU\IAS_TEST
                              2⤵
                              • Modifies registry key
                              PID:1076
                            • C:\Windows\System32\reg.exe
                              reg query HKU\S-1-5-21-481678230-3773327859-3495911762-1000\IAS_TEST
                              2⤵
                                PID:1704
                              • C:\Windows\System32\reg.exe
                                reg delete HKCU\IAS_TEST /f
                                2⤵
                                • Modifies registry key
                                PID:1816
                              • C:\Windows\System32\reg.exe
                                reg delete HKU\S-1-5-21-481678230-3773327859-3495911762-1000\IAS_TEST /f
                                2⤵
                                  PID:2020
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
                                  2⤵
                                    PID:2344
                                    • C:\Windows\System32\reg.exe
                                      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
                                      3⤵
                                        PID:1064
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\DownloadManager" /v ExePath 2>nul
                                      2⤵
                                        PID:308
                                        • C:\Windows\System32\reg.exe
                                          reg query "HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\DownloadManager" /v ExePath
                                          3⤵
                                            PID:2172
                                        • C:\Windows\System32\reg.exe
                                          reg add HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
                                          2⤵
                                          • Modifies registry class
                                          PID:2412
                                        • C:\Windows\System32\reg.exe
                                          reg query HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
                                          2⤵
                                            PID:1444
                                          • C:\Windows\System32\reg.exe
                                            reg delete HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
                                            2⤵
                                            • Modifies registry class
                                            PID:1716
                                          • C:\Windows\System32\mode.com
                                            mode 75, 28
                                            2⤵
                                              PID:2604
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:900
                                            • C:\Windows\System32\choice.exe
                                              choice /C:123450 /N
                                              2⤵
                                                PID:1640
                                              • C:\Windows\System32\mode.com
                                                mode 113, 35
                                                2⤵
                                                  PID:1768
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2136
                                                • C:\Windows\System32\tasklist.exe
                                                  tasklist /fi "imagename eq idman.exe"
                                                  2⤵
                                                  • Enumerates processes with tasklist
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2520
                                                • C:\Windows\System32\findstr.exe
                                                  findstr /i "idman.exe"
                                                  2⤵
                                                    PID:2092
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
                                                    2⤵
                                                      PID:2244
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
                                                        3⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2952
                                                    • C:\Windows\System32\reg.exe
                                                      reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240427-190933277.reg"
                                                      2⤵
                                                        PID:992
                                                      • C:\Windows\System32\reg.exe
                                                        reg query "HKCU\Software\DownloadManager" "/v" "FName"
                                                        2⤵
                                                          PID:1512
                                                        • C:\Windows\System32\reg.exe
                                                          reg query "HKCU\Software\DownloadManager" "/v" "LName"
                                                          2⤵
                                                            PID:1660
                                                          • C:\Windows\System32\reg.exe
                                                            reg query "HKCU\Software\DownloadManager" "/v" "Email"
                                                            2⤵
                                                              PID:2192
                                                            • C:\Windows\System32\reg.exe
                                                              reg query "HKCU\Software\DownloadManager" "/v" "Serial"
                                                              2⤵
                                                                PID:1112
                                                              • C:\Windows\System32\reg.exe
                                                                reg query "HKCU\Software\DownloadManager" "/v" "scansk"
                                                                2⤵
                                                                  PID:560
                                                                • C:\Windows\System32\reg.exe
                                                                  reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
                                                                  2⤵
                                                                    PID:1820
                                                                  • C:\Windows\System32\reg.exe
                                                                    reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
                                                                    2⤵
                                                                      PID:3032
                                                                    • C:\Windows\System32\reg.exe
                                                                      reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
                                                                      2⤵
                                                                        PID:712
                                                                      • C:\Windows\System32\reg.exe
                                                                        reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
                                                                        2⤵
                                                                          PID:556
                                                                        • C:\Windows\System32\reg.exe
                                                                          reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
                                                                          2⤵
                                                                            PID:1920
                                                                          • C:\Windows\System32\reg.exe
                                                                            reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
                                                                            2⤵
                                                                              PID:2328
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell.exe "$sid = 'S-1-5-21-481678230-3773327859-3495911762-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':regscan\:.*';iex ($f[1])"
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2508
                                                                            • C:\Windows\System32\reg.exe
                                                                              reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
                                                                              2⤵
                                                                                PID:1732
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM reset process has been completed."'
                                                                                2⤵
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2212
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'
                                                                                2⤵
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2040
                                                                              • C:\Windows\System32\mode.com
                                                                                mode 75, 28
                                                                                2⤵
                                                                                  PID:2948
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'
                                                                                  2⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1668
                                                                                • C:\Windows\System32\choice.exe
                                                                                  choice /C:123450 /N
                                                                                  2⤵
                                                                                    PID:1736
                                                                                  • C:\Windows\System32\mode.com
                                                                                    mode 113, 35
                                                                                    2⤵
                                                                                      PID:2184
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
                                                                                      2⤵
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:852
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell.exe write-host -back '"Red"' -fore '"white"' '"IDM [Internet Download Manager] is not Installed."'
                                                                                      2⤵
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:888
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'
                                                                                      2⤵
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1588
                                                                                    • C:\Windows\System32\mode.com
                                                                                      mode 75, 28
                                                                                      2⤵
                                                                                        PID:2096
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'
                                                                                        2⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2748
                                                                                      • C:\Windows\System32\choice.exe
                                                                                        choice /C:123450 /N
                                                                                        2⤵
                                                                                          PID:2088

                                                                                      Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DCGIYCSXIM1GRTFPDXMB.temp

                                                                                        Filesize

                                                                                        7KB

                                                                                        MD5

                                                                                        9a0e6fb206ae80bfd1575128e9e5dbb2

                                                                                        SHA1

                                                                                        3427a67ba0cd271499e6504a823389b82e34183a

                                                                                        SHA256

                                                                                        ded0c5e9e9a20027df29f651e6791d05f09a9eb21fbfdee24ac4b76af2c3dce9

                                                                                        SHA512

                                                                                        9e247922ad836f2ee33eba5a7e58335f2fd9371920b11e2ed51aa124bbcff40a62211594eec46e2d95828ed911c5a266a2b98329ebb8b896605b31c3163ffb0a

                                                                                      • memory/1292-31-0x000000001B7A0000-0x000000001BA82000-memory.dmp

                                                                                        Filesize

                                                                                        2.9MB

                                                                                      • memory/2524-25-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                                                                        Filesize

                                                                                        2.9MB

                                                                                      • memory/2672-19-0x0000000001E00000-0x0000000001E08000-memory.dmp

                                                                                        Filesize

                                                                                        32KB

                                                                                      • memory/2672-18-0x000000001B780000-0x000000001BA62000-memory.dmp

                                                                                        Filesize

                                                                                        2.9MB

                                                                                      • memory/2996-10-0x0000000002920000-0x00000000029A0000-memory.dmp

                                                                                        Filesize

                                                                                        512KB

                                                                                      • memory/2996-11-0x0000000002920000-0x00000000029A0000-memory.dmp

                                                                                        Filesize

                                                                                        512KB

                                                                                      • memory/2996-12-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

                                                                                        Filesize

                                                                                        9.6MB

                                                                                      • memory/2996-5-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

                                                                                        Filesize

                                                                                        9.6MB

                                                                                      • memory/2996-8-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

                                                                                        Filesize

                                                                                        9.6MB

                                                                                      • memory/2996-9-0x0000000002920000-0x00000000029A0000-memory.dmp

                                                                                        Filesize

                                                                                        512KB

                                                                                      • memory/2996-4-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                                        Filesize

                                                                                        2.9MB

                                                                                      • memory/2996-6-0x0000000002910000-0x0000000002918000-memory.dmp

                                                                                        Filesize

                                                                                        32KB

                                                                                      • memory/2996-7-0x0000000002920000-0x00000000029A0000-memory.dmp

                                                                                        Filesize

                                                                                        512KB