Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7Beasty Cra...58.cmd
windows7-x64
1Beasty Cra...58.cmd
windows10-2004-x64
1Beasty Cra...66.cmd
windows7-x64
1Beasty Cra...66.cmd
windows10-2004-x64
1Beasty Cra...7r.bat
windows7-x64
3Beasty Cra...7r.bat
windows10-2004-x64
3Beasty Cra...7r.bat
windows7-x64
1Beasty Cra...7r.bat
windows10-2004-x64
1Beasty Cra...64.exe
windows7-x64
1Beasty Cra...64.exe
windows10-2004-x64
1Beasty Cra...64.dll
windows7-x64
1Beasty Cra...64.dll
windows10-2004-x64
1Beasty Cra...1].dll
windows7-x64
1Beasty Cra...1].dll
windows10-2004-x64
1Beasty Cra...64.sys
windows7-x64
1Beasty Cra...64.sys
windows10-2004-x64
1Beasty Cra...1].exe
windows7-x64
Beasty Cra...1].exe
windows10-2004-x64
Beasty Cra...rd.exe
windows7-x64
1Beasty Cra...rd.exe
windows10-2004-x64
1Beasty Cra...64.sys
windows7-x64
1Beasty Cra...64.sys
windows10-2004-x64
1Beasty Cra...er.exe
windows7-x64
1Beasty Cra...er.exe
windows10-2004-x64
1Analysis
-
max time kernel
1s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 14:11
Behavioral task
behavioral1
Sample
Beasty Cracked/BNY DUMPED/32158.cmd
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral2
Sample
Beasty Cracked/BNY DUMPED/32158.cmd
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Beasty Cracked/BNY DUMPED/366.cmd
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
Beasty Cracked/BNY DUMPED/366.cmd
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Beasty Cracked/BNY DUMPED/8fferszesf7r.bat
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
Beasty Cracked/BNY DUMPED/8fferszesf7r.bat
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Beasty Cracked/BNY DUMPED/8fzqf7r.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
Beasty Cracked/BNY DUMPED/8fzqf7r.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Beasty Cracked/BNY DUMPED/AMIDEWINx64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
Beasty Cracked/BNY DUMPED/AMIDEWINx64.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64[1].dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64[1].dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Beasty Cracked/BNY DUMPED/amifldrv64.sys
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
Beasty Cracked/BNY DUMPED/amifldrv64.sys
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Beasty Cracked/BNY DUMPED/cup_asus[1].exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
Beasty Cracked/BNY DUMPED/cup_asus[1].exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Beasty Cracked/BNY DUMPED/retard.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral20
Sample
Beasty Cracked/BNY DUMPED/retard.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Beasty Cracked/BNY DUMPED/sefdebos64.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Beasty Cracked/BNY DUMPED/sefdebos64.sys
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Beasty Cracked/beasty spoofer.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
Beasty Cracked/beasty spoofer.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
Beasty Cracked/BNY DUMPED/8fzqf7r.bat
-
Size
3KB
-
MD5
d143b3fa2c8e0eac4d70fd15ab222e3e
-
SHA1
583370e6aa565e9b9d53dbc263c1717659ea3edd
-
SHA256
2f89c39f1d38445d975658abcf79ecfee6a1c2976b76cf09633e4e27d95a5658
-
SHA512
571e721c457ed8c697968f8a04344ec7adeafe0b38d9026c5925c801f5099fbb3504b85e4e22c65971ffe836ee03ceb3ef0ae8ca15ff78e5757792f924263f53
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe Token: SeIncreaseQuotaPrivilege 2580 WMIC.exe Token: SeSecurityPrivilege 2580 WMIC.exe Token: SeTakeOwnershipPrivilege 2580 WMIC.exe Token: SeLoadDriverPrivilege 2580 WMIC.exe Token: SeSystemProfilePrivilege 2580 WMIC.exe Token: SeSystemtimePrivilege 2580 WMIC.exe Token: SeProfSingleProcessPrivilege 2580 WMIC.exe Token: SeIncBasePriorityPrivilege 2580 WMIC.exe Token: SeCreatePagefilePrivilege 2580 WMIC.exe Token: SeBackupPrivilege 2580 WMIC.exe Token: SeRestorePrivilege 2580 WMIC.exe Token: SeShutdownPrivilege 2580 WMIC.exe Token: SeDebugPrivilege 2580 WMIC.exe Token: SeSystemEnvironmentPrivilege 2580 WMIC.exe Token: SeRemoteShutdownPrivilege 2580 WMIC.exe Token: SeUndockPrivilege 2580 WMIC.exe Token: SeManageVolumePrivilege 2580 WMIC.exe Token: 33 2580 WMIC.exe Token: 34 2580 WMIC.exe Token: 35 2580 WMIC.exe Token: SeIncreaseQuotaPrivilege 2580 WMIC.exe Token: SeSecurityPrivilege 2580 WMIC.exe Token: SeTakeOwnershipPrivilege 2580 WMIC.exe Token: SeLoadDriverPrivilege 2580 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 1224 1392 cmd.exe 29 PID 1392 wrote to memory of 1224 1392 cmd.exe 29 PID 1392 wrote to memory of 1224 1392 cmd.exe 29 PID 1392 wrote to memory of 2192 1392 cmd.exe 30 PID 1392 wrote to memory of 2192 1392 cmd.exe 30 PID 1392 wrote to memory of 2192 1392 cmd.exe 30 PID 1392 wrote to memory of 2636 1392 cmd.exe 33 PID 1392 wrote to memory of 2636 1392 cmd.exe 33 PID 1392 wrote to memory of 2636 1392 cmd.exe 33 PID 2636 wrote to memory of 2644 2636 cmd.exe 34 PID 2636 wrote to memory of 2644 2636 cmd.exe 34 PID 2636 wrote to memory of 2644 2636 cmd.exe 34 PID 2636 wrote to memory of 2700 2636 cmd.exe 35 PID 2636 wrote to memory of 2700 2636 cmd.exe 35 PID 2636 wrote to memory of 2700 2636 cmd.exe 35 PID 1392 wrote to memory of 2712 1392 cmd.exe 36 PID 1392 wrote to memory of 2712 1392 cmd.exe 36 PID 1392 wrote to memory of 2712 1392 cmd.exe 36 PID 1392 wrote to memory of 2728 1392 cmd.exe 37 PID 1392 wrote to memory of 2728 1392 cmd.exe 37 PID 1392 wrote to memory of 2728 1392 cmd.exe 37 PID 1392 wrote to memory of 2428 1392 cmd.exe 38 PID 1392 wrote to memory of 2428 1392 cmd.exe 38 PID 1392 wrote to memory of 2428 1392 cmd.exe 38 PID 1392 wrote to memory of 2228 1392 cmd.exe 39 PID 1392 wrote to memory of 2228 1392 cmd.exe 39 PID 1392 wrote to memory of 2228 1392 cmd.exe 39 PID 1392 wrote to memory of 2876 1392 cmd.exe 40 PID 1392 wrote to memory of 2876 1392 cmd.exe 40 PID 1392 wrote to memory of 2876 1392 cmd.exe 40 PID 2876 wrote to memory of 2580 2876 cmd.exe 41 PID 2876 wrote to memory of 2580 2876 cmd.exe 41 PID 2876 wrote to memory of 2580 2876 cmd.exe 41 PID 2876 wrote to memory of 2736 2876 cmd.exe 42 PID 2876 wrote to memory of 2736 2876 cmd.exe 42 PID 2876 wrote to memory of 2736 2876 cmd.exe 42 PID 1392 wrote to memory of 1192 1392 cmd.exe 43 PID 1392 wrote to memory of 1192 1392 cmd.exe 43 PID 1392 wrote to memory of 1192 1392 cmd.exe 43 PID 1392 wrote to memory of 2584 1392 cmd.exe 44 PID 1392 wrote to memory of 2584 1392 cmd.exe 44 PID 1392 wrote to memory of 2584 1392 cmd.exe 44 PID 1392 wrote to memory of 2592 1392 cmd.exe 45 PID 1392 wrote to memory of 2592 1392 cmd.exe 45 PID 1392 wrote to memory of 2592 1392 cmd.exe 45 PID 1392 wrote to memory of 2704 1392 cmd.exe 46 PID 1392 wrote to memory of 2704 1392 cmd.exe 46 PID 1392 wrote to memory of 2704 1392 cmd.exe 46 PID 1392 wrote to memory of 2468 1392 cmd.exe 47 PID 1392 wrote to memory of 2468 1392 cmd.exe 47 PID 1392 wrote to memory of 2468 1392 cmd.exe 47 PID 2468 wrote to memory of 2476 2468 cmd.exe 48 PID 2468 wrote to memory of 2476 2468 cmd.exe 48 PID 2468 wrote to memory of 2476 2468 cmd.exe 48 PID 1392 wrote to memory of 2452 1392 cmd.exe 49 PID 1392 wrote to memory of 2452 1392 cmd.exe 49 PID 1392 wrote to memory of 2452 1392 cmd.exe 49 PID 1392 wrote to memory of 1224 1392 cmd.exe 29 PID 1392 wrote to memory of 1224 1392 cmd.exe 29 PID 1392 wrote to memory of 1224 1392 cmd.exe 29 PID 1392 wrote to memory of 2192 1392 cmd.exe 30 PID 1392 wrote to memory of 2192 1392 cmd.exe 30 PID 1392 wrote to memory of 2192 1392 cmd.exe 30 PID 1392 wrote to memory of 2636 1392 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Beasty Cracked\BNY DUMPED\8fzqf7r.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\certutil.exeCERTUTIL -f -decode "C:\Users\Admin\AppData\Local\Temp\Beasty Cracked\BNY DUMPED\8fzqf7r.bat" "C:\Users\Admin\AppData\Local\Temp\24433.cmd"2⤵PID:1224
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:2192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2700
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:2712
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2728
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2428
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v NetworkAddress /t REG_SZ /d CE80F7433E94 /f2⤵PID:2228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2736
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\072⤵PID:1192
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0072⤵PID:2584
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00072⤵PID:2592
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:2476
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Local Area Connection" disable2⤵PID:2452
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5875a54f511baf4bc25c5cc2e4d56c1a0
SHA157bb04b6bb812f5bdff40a5bc324a17771145918
SHA256d80a0db16a6a3ba969ead9957c04e3ca6cdb05dbdea48d0cb49269c8e24867e1
SHA5128600c555a7c995076d7d71903b3fb6494e9c8f5c1cb49aaabec92200a4e8e2fb4f30fb8aa85e214e7a4b9a7c04453e821097ee873d0383d6b1a40719b59f470c