22cfeefd35480b7efc662b2ccf898c9c814fa594f8d68dc50341dc8a50ba87b8 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

D34TH 4.0.bat

windows7-x64

D34TH 4.0.bat

windows10-1703-x64

8

D34TH 4.0.bat

windows10-2004-x64

1

D34TH 4.0.bat

windows11-21h2-x64

1

Sharing

General

Target

D34TH 4.0.bat
Size

12KB
Sample

240430-2453labh65
MD5

f9670529c8d040fe5f79851ad0a1eb27
SHA1

f9ac8d25aa09e5199db954760a2926ba9213578e
SHA256

22cfeefd35480b7efc662b2ccf898c9c814fa594f8d68dc50341dc8a50ba87b8
SHA512

fa60da1e44519bdaa0c16911210571ee82e34a5a86690eef259e1d9f5138c1b1ebf568bea14844fe112a1f78d1f0c4d671a5b1aac13dcf1a6120367955ab97c8
SSDEEP

384:fNqhr+pMnKFYjtmv000000000000000000000000007dk5Yw:f1eR

Score

8^/10

discovery evasion persistence

Static task

static1

Behavioral task

behavioral1

Sample

D34TH 4.0.bat

Resource

win7-20240419-en

discovery evasion persistence

windows7-x64

31 signatures

150 seconds

Behavioral task

behavioral2

Sample

D34TH 4.0.bat

Resource

win10-20240404-en

discovery evasion

windows10-1703-x64

20 signatures

150 seconds

Behavioral task

behavioral3

Sample

D34TH 4.0.bat

Resource

win10v2004-20240419-en

windows10-2004-x64

0 signatures

150 seconds

Behavioral task

behavioral4

Sample

D34TH 4.0.bat

Resource

win11-20240419-en

windows11-21h2-x64

0 signatures

150 seconds

Malware Config

Targets

- Target
  
  D34TH 4.0.bat
- Size
  
  12KB
- MD5
  
  f9670529c8d040fe5f79851ad0a1eb27
- SHA1
  
  f9ac8d25aa09e5199db954760a2926ba9213578e
- SHA256
  
  22cfeefd35480b7efc662b2ccf898c9c814fa594f8d68dc50341dc8a50ba87b8
- SHA512
  
  fa60da1e44519bdaa0c16911210571ee82e34a5a86690eef259e1d9f5138c1b1ebf568bea14844fe112a1f78d1f0c4d671a5b1aac13dcf1a6120367955ab97c8
- SSDEEP
  
  384:fNqhr+pMnKFYjtmv000000000000000000000000007dk5Yw:f1eR
Score

8^/10

discovery evasion persistence
- Blocklisted process makes network request
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Program crash
- Drops file in System32 directory
- Modifies termsrv.dll
  Commonly used to allow simultaneous RDP sessions.
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistence

behavioral2

discoveryevasion

behavioral3

behavioral4

© 2018-2025

Terms | Privacy