Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27/04/2024, 19:08
Static task
static1
Behavioral task
behavioral1
Sample
SCRIPT FREEZE IDM TIME.cmd
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
SCRIPT FREEZE IDM TIME.cmd
Resource
win10v2004-20240419-en
General
-
Target
SCRIPT FREEZE IDM TIME.cmd
-
Size
31KB
-
MD5
cd219449e7472b4e6f35c612824635bd
-
SHA1
f6db923ee2dbb3ae2ade5e0511533506962a689b
-
SHA256
87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944
-
SHA512
fa92d80645c1bc6ff55238322ce69144b4550aa6256efe3c334c0c343a937185a9ce18a1ad4c8e55e5ac42e6d937582738441d443f01f4a0590d64ac1453ec55
-
SSDEEP
384:mNnhCo3piIUTUq5rrfmJbnl7+qK14TEJYab:mNn/ZiBAq5rrfmFl7G4gJYab
Malware Config
Signatures
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1708 sc.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2520 tasklist.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\IAS_TEST reg.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node reg.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\IAS_TEST\ reg.exe Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\IAS_TEST reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2924 reg.exe 2000 reg.exe 1076 reg.exe 1816 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2104 PING.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2996 powershell.exe 2672 powershell.exe 2524 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 1292 powershell.exe 900 powershell.exe 2136 powershell.exe 2952 powershell.exe 2508 powershell.exe 2212 powershell.exe 2040 powershell.exe 1668 powershell.exe 852 powershell.exe 888 powershell.exe 1588 powershell.exe 2748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2520 tasklist.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1708 2288 cmd.exe 29 PID 2288 wrote to memory of 1708 2288 cmd.exe 29 PID 2288 wrote to memory of 1708 2288 cmd.exe 29 PID 2288 wrote to memory of 2252 2288 cmd.exe 30 PID 2288 wrote to memory of 2252 2288 cmd.exe 30 PID 2288 wrote to memory of 2252 2288 cmd.exe 30 PID 2288 wrote to memory of 3064 2288 cmd.exe 31 PID 2288 wrote to memory of 3064 2288 cmd.exe 31 PID 2288 wrote to memory of 3064 2288 cmd.exe 31 PID 2288 wrote to memory of 2240 2288 cmd.exe 32 PID 2288 wrote to memory of 2240 2288 cmd.exe 32 PID 2288 wrote to memory of 2240 2288 cmd.exe 32 PID 2288 wrote to memory of 2260 2288 cmd.exe 33 PID 2288 wrote to memory of 2260 2288 cmd.exe 33 PID 2288 wrote to memory of 2260 2288 cmd.exe 33 PID 2288 wrote to memory of 2148 2288 cmd.exe 34 PID 2288 wrote to memory of 2148 2288 cmd.exe 34 PID 2288 wrote to memory of 2148 2288 cmd.exe 34 PID 2288 wrote to memory of 2996 2288 cmd.exe 35 PID 2288 wrote to memory of 2996 2288 cmd.exe 35 PID 2288 wrote to memory of 2996 2288 cmd.exe 35 PID 2288 wrote to memory of 2848 2288 cmd.exe 36 PID 2288 wrote to memory of 2848 2288 cmd.exe 36 PID 2288 wrote to memory of 2848 2288 cmd.exe 36 PID 2288 wrote to memory of 2688 2288 cmd.exe 37 PID 2288 wrote to memory of 2688 2288 cmd.exe 37 PID 2288 wrote to memory of 2688 2288 cmd.exe 37 PID 2288 wrote to memory of 2924 2288 cmd.exe 38 PID 2288 wrote to memory of 2924 2288 cmd.exe 38 PID 2288 wrote to memory of 2924 2288 cmd.exe 38 PID 2288 wrote to memory of 2660 2288 cmd.exe 39 PID 2288 wrote to memory of 2660 2288 cmd.exe 39 PID 2288 wrote to memory of 2660 2288 cmd.exe 39 PID 2288 wrote to memory of 2544 2288 cmd.exe 40 PID 2288 wrote to memory of 2544 2288 cmd.exe 40 PID 2288 wrote to memory of 2544 2288 cmd.exe 40 PID 2544 wrote to memory of 2104 2544 cmd.exe 41 PID 2544 wrote to memory of 2104 2544 cmd.exe 41 PID 2544 wrote to memory of 2104 2544 cmd.exe 41 PID 2288 wrote to memory of 2672 2288 cmd.exe 42 PID 2288 wrote to memory of 2672 2288 cmd.exe 42 PID 2288 wrote to memory of 2672 2288 cmd.exe 42 PID 2288 wrote to memory of 2708 2288 cmd.exe 43 PID 2288 wrote to memory of 2708 2288 cmd.exe 43 PID 2288 wrote to memory of 2708 2288 cmd.exe 43 PID 2288 wrote to memory of 2028 2288 cmd.exe 45 PID 2288 wrote to memory of 2028 2288 cmd.exe 45 PID 2288 wrote to memory of 2028 2288 cmd.exe 45 PID 2028 wrote to memory of 2524 2028 cmd.exe 46 PID 2028 wrote to memory of 2524 2028 cmd.exe 46 PID 2028 wrote to memory of 2524 2028 cmd.exe 46 PID 2288 wrote to memory of 2900 2288 cmd.exe 47 PID 2288 wrote to memory of 2900 2288 cmd.exe 47 PID 2288 wrote to memory of 2900 2288 cmd.exe 47 PID 2288 wrote to memory of 3000 2288 cmd.exe 48 PID 2288 wrote to memory of 3000 2288 cmd.exe 48 PID 2288 wrote to memory of 3000 2288 cmd.exe 48 PID 3000 wrote to memory of 1292 3000 cmd.exe 49 PID 3000 wrote to memory of 1292 3000 cmd.exe 49 PID 3000 wrote to memory of 1292 3000 cmd.exe 49 PID 2288 wrote to memory of 2500 2288 cmd.exe 50 PID 2288 wrote to memory of 2500 2288 cmd.exe 50 PID 2288 wrote to memory of 2500 2288 cmd.exe 50 PID 2288 wrote to memory of 2000 2288 cmd.exe 51
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\System32\sc.exesc query Null2⤵
- Launches sc.exe
PID:1708
-
-
C:\Windows\System32\find.exefind /i "RUNNING"2⤵PID:2252
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "2⤵PID:2260
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"2⤵PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"2⤵PID:2848
-
-
C:\Windows\System32\fltMC.exefltmc2⤵PID:2688
-
-
C:\Windows\System32\reg.exereg query HKCU\Console /v QuickEdit2⤵
- Modifies registry key
PID:2924
-
-
C:\Windows\System32\find.exefind /i "0x0"2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\PING.EXEping -4 -n 1 iasupdatecheck.massgrave.dev3⤵
- Runs ping.exe
PID:2104
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\find.exefind /i "computersystem"2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
C:\Windows\System32\reg.exereg query HKU\\Software2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul2⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software2⤵PID:2500
-
-
C:\Windows\System32\reg.exereg delete HKCU\IAS_TEST /f2⤵
- Modifies registry key
PID:2000
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-481678230-3773327859-3495911762-1000\IAS_TEST /f2⤵PID:1812
-
-
C:\Windows\System32\reg.exereg add HKCU\IAS_TEST2⤵
- Modifies registry key
PID:1076
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-481678230-3773327859-3495911762-1000\IAS_TEST2⤵PID:1704
-
-
C:\Windows\System32\reg.exereg delete HKCU\IAS_TEST /f2⤵
- Modifies registry key
PID:1816
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-481678230-3773327859-3495911762-1000\IAS_TEST /f2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE2⤵PID:2344
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\DownloadManager" /v ExePath 2>nul2⤵PID:308
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\DownloadManager" /v ExePath3⤵PID:2172
-
-
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST2⤵
- Modifies registry class
PID:2412
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST2⤵PID:1444
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f2⤵
- Modifies registry class
PID:1716
-
-
C:\Windows\System32\mode.commode 75, 282⤵PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N2⤵PID:1640
-
-
C:\Windows\System32\mode.commode 113, 352⤵PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\tasklist.exetasklist /fi "imagename eq idman.exe"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\findstr.exefindstr /i "idman.exe"2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"2⤵PID:2244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
-
C:\Windows\System32\reg.exereg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240427-190933277.reg"2⤵PID:992
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "FName"2⤵PID:1512
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "LName"2⤵PID:1660
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "Email"2⤵PID:2192
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "Serial"2⤵PID:1112
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "scansk"2⤵PID:560
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"2⤵PID:1820
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "radxcnt"2⤵PID:3032
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "LstCheck"2⤵PID:712
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"2⤵PID:556
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"2⤵PID:1920
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"2⤵PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$sid = 'S-1-5-21-481678230-3773327859-3495911762-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':regscan\:.*';iex ($f[1])"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f2⤵PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM reset process has been completed."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\mode.commode 75, 282⤵PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N2⤵PID:1736
-
-
C:\Windows\System32\mode.commode 113, 352⤵PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Red"' -fore '"white"' '"IDM [Internet Download Manager] is not Installed."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\mode.commode 75, 282⤵PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,0]"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N2⤵PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DCGIYCSXIM1GRTFPDXMB.temp
Filesize7KB
MD59a0e6fb206ae80bfd1575128e9e5dbb2
SHA13427a67ba0cd271499e6504a823389b82e34183a
SHA256ded0c5e9e9a20027df29f651e6791d05f09a9eb21fbfdee24ac4b76af2c3dce9
SHA5129e247922ad836f2ee33eba5a7e58335f2fd9371920b11e2ed51aa124bbcff40a62211594eec46e2d95828ed911c5a266a2b98329ebb8b896605b31c3163ffb0a