Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7Beasty Cra...58.cmd
windows7-x64
1Beasty Cra...58.cmd
windows10-2004-x64
1Beasty Cra...66.cmd
windows7-x64
1Beasty Cra...66.cmd
windows10-2004-x64
1Beasty Cra...7r.bat
windows7-x64
3Beasty Cra...7r.bat
windows10-2004-x64
3Beasty Cra...7r.bat
windows7-x64
1Beasty Cra...7r.bat
windows10-2004-x64
1Beasty Cra...64.exe
windows7-x64
1Beasty Cra...64.exe
windows10-2004-x64
1Beasty Cra...64.dll
windows7-x64
1Beasty Cra...64.dll
windows10-2004-x64
1Beasty Cra...1].dll
windows7-x64
1Beasty Cra...1].dll
windows10-2004-x64
1Beasty Cra...64.sys
windows7-x64
1Beasty Cra...64.sys
windows10-2004-x64
1Beasty Cra...1].exe
windows7-x64
Beasty Cra...1].exe
windows10-2004-x64
Beasty Cra...rd.exe
windows7-x64
1Beasty Cra...rd.exe
windows10-2004-x64
1Beasty Cra...64.sys
windows7-x64
1Beasty Cra...64.sys
windows10-2004-x64
1Beasty Cra...er.exe
windows7-x64
1Beasty Cra...er.exe
windows10-2004-x64
1Analysis
-
max time kernel
1s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 14:11
Behavioral task
behavioral1
Sample
Beasty Cracked/BNY DUMPED/32158.cmd
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral2
Sample
Beasty Cracked/BNY DUMPED/32158.cmd
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Beasty Cracked/BNY DUMPED/366.cmd
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
Beasty Cracked/BNY DUMPED/366.cmd
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Beasty Cracked/BNY DUMPED/8fferszesf7r.bat
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
Beasty Cracked/BNY DUMPED/8fferszesf7r.bat
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Beasty Cracked/BNY DUMPED/8fzqf7r.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
Beasty Cracked/BNY DUMPED/8fzqf7r.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Beasty Cracked/BNY DUMPED/AMIDEWINx64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
Beasty Cracked/BNY DUMPED/AMIDEWINx64.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64[1].dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
Beasty Cracked/BNY DUMPED/SecureEngineSDK64[1].dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Beasty Cracked/BNY DUMPED/amifldrv64.sys
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
Beasty Cracked/BNY DUMPED/amifldrv64.sys
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Beasty Cracked/BNY DUMPED/cup_asus[1].exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
Beasty Cracked/BNY DUMPED/cup_asus[1].exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Beasty Cracked/BNY DUMPED/retard.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral20
Sample
Beasty Cracked/BNY DUMPED/retard.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Beasty Cracked/BNY DUMPED/sefdebos64.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
Beasty Cracked/BNY DUMPED/sefdebos64.sys
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Beasty Cracked/beasty spoofer.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
Beasty Cracked/beasty spoofer.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
Beasty Cracked/BNY DUMPED/8fzqf7r.bat
-
Size
3KB
-
MD5
d143b3fa2c8e0eac4d70fd15ab222e3e
-
SHA1
583370e6aa565e9b9d53dbc263c1717659ea3edd
-
SHA256
2f89c39f1d38445d975658abcf79ecfee6a1c2976b76cf09633e4e27d95a5658
-
SHA512
571e721c457ed8c697968f8a04344ec7adeafe0b38d9026c5925c801f5099fbb3504b85e4e22c65971ffe836ee03ceb3ef0ae8ca15ff78e5757792f924263f53
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe Token: SeSystemProfilePrivilege 1804 WMIC.exe Token: SeSystemtimePrivilege 1804 WMIC.exe Token: SeProfSingleProcessPrivilege 1804 WMIC.exe Token: SeIncBasePriorityPrivilege 1804 WMIC.exe Token: SeCreatePagefilePrivilege 1804 WMIC.exe Token: SeBackupPrivilege 1804 WMIC.exe Token: SeRestorePrivilege 1804 WMIC.exe Token: SeShutdownPrivilege 1804 WMIC.exe Token: SeDebugPrivilege 1804 WMIC.exe Token: SeSystemEnvironmentPrivilege 1804 WMIC.exe Token: SeRemoteShutdownPrivilege 1804 WMIC.exe Token: SeUndockPrivilege 1804 WMIC.exe Token: SeManageVolumePrivilege 1804 WMIC.exe Token: 33 1804 WMIC.exe Token: 34 1804 WMIC.exe Token: 35 1804 WMIC.exe Token: 36 1804 WMIC.exe Token: SeIncreaseQuotaPrivilege 1804 WMIC.exe Token: SeSecurityPrivilege 1804 WMIC.exe Token: SeTakeOwnershipPrivilege 1804 WMIC.exe Token: SeLoadDriverPrivilege 1804 WMIC.exe Token: SeSystemProfilePrivilege 1804 WMIC.exe Token: SeSystemtimePrivilege 1804 WMIC.exe Token: SeProfSingleProcessPrivilege 1804 WMIC.exe Token: SeIncBasePriorityPrivilege 1804 WMIC.exe Token: SeCreatePagefilePrivilege 1804 WMIC.exe Token: SeBackupPrivilege 1804 WMIC.exe Token: SeRestorePrivilege 1804 WMIC.exe Token: SeShutdownPrivilege 1804 WMIC.exe Token: SeDebugPrivilege 1804 WMIC.exe Token: SeSystemEnvironmentPrivilege 1804 WMIC.exe Token: SeRemoteShutdownPrivilege 1804 WMIC.exe Token: SeUndockPrivilege 1804 WMIC.exe Token: SeManageVolumePrivilege 1804 WMIC.exe Token: 33 1804 WMIC.exe Token: 34 1804 WMIC.exe Token: 35 1804 WMIC.exe Token: 36 1804 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe Token: SeSecurityPrivilege 2004 WMIC.exe Token: SeTakeOwnershipPrivilege 2004 WMIC.exe Token: SeLoadDriverPrivilege 2004 WMIC.exe Token: SeSystemProfilePrivilege 2004 WMIC.exe Token: SeSystemtimePrivilege 2004 WMIC.exe Token: SeProfSingleProcessPrivilege 2004 WMIC.exe Token: SeIncBasePriorityPrivilege 2004 WMIC.exe Token: SeCreatePagefilePrivilege 2004 WMIC.exe Token: SeBackupPrivilege 2004 WMIC.exe Token: SeRestorePrivilege 2004 WMIC.exe Token: SeShutdownPrivilege 2004 WMIC.exe Token: SeDebugPrivilege 2004 WMIC.exe Token: SeSystemEnvironmentPrivilege 2004 WMIC.exe Token: SeRemoteShutdownPrivilege 2004 WMIC.exe Token: SeUndockPrivilege 2004 WMIC.exe Token: SeManageVolumePrivilege 2004 WMIC.exe Token: 33 2004 WMIC.exe Token: 34 2004 WMIC.exe Token: 35 2004 WMIC.exe Token: 36 2004 WMIC.exe Token: SeIncreaseQuotaPrivilege 2004 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2292 2336 cmd.exe 84 PID 2336 wrote to memory of 2292 2336 cmd.exe 84 PID 2336 wrote to memory of 4308 2336 cmd.exe 85 PID 2336 wrote to memory of 4308 2336 cmd.exe 85 PID 2336 wrote to memory of 3008 2336 cmd.exe 88 PID 2336 wrote to memory of 3008 2336 cmd.exe 88 PID 3008 wrote to memory of 1804 3008 cmd.exe 89 PID 3008 wrote to memory of 1804 3008 cmd.exe 89 PID 3008 wrote to memory of 2052 3008 cmd.exe 91 PID 3008 wrote to memory of 2052 3008 cmd.exe 91 PID 2336 wrote to memory of 5040 2336 cmd.exe 94 PID 2336 wrote to memory of 5040 2336 cmd.exe 94 PID 2336 wrote to memory of 4472 2336 cmd.exe 95 PID 2336 wrote to memory of 4472 2336 cmd.exe 95 PID 2336 wrote to memory of 2156 2336 cmd.exe 96 PID 2336 wrote to memory of 2156 2336 cmd.exe 96 PID 2336 wrote to memory of 1652 2336 cmd.exe 97 PID 2336 wrote to memory of 1652 2336 cmd.exe 97 PID 2336 wrote to memory of 2024 2336 cmd.exe 98 PID 2336 wrote to memory of 2024 2336 cmd.exe 98 PID 2024 wrote to memory of 2004 2024 cmd.exe 99 PID 2024 wrote to memory of 2004 2024 cmd.exe 99 PID 2024 wrote to memory of 1872 2024 cmd.exe 100 PID 2024 wrote to memory of 1872 2024 cmd.exe 100 PID 2336 wrote to memory of 2148 2336 cmd.exe 101 PID 2336 wrote to memory of 2148 2336 cmd.exe 101 PID 2336 wrote to memory of 1800 2336 cmd.exe 102 PID 2336 wrote to memory of 1800 2336 cmd.exe 102 PID 2336 wrote to memory of 4008 2336 cmd.exe 103 PID 2336 wrote to memory of 4008 2336 cmd.exe 103 PID 2336 wrote to memory of 4204 2336 cmd.exe 104 PID 2336 wrote to memory of 4204 2336 cmd.exe 104 PID 2336 wrote to memory of 4444 2336 cmd.exe 105 PID 2336 wrote to memory of 4444 2336 cmd.exe 105 PID 4444 wrote to memory of 1400 4444 cmd.exe 106 PID 4444 wrote to memory of 1400 4444 cmd.exe 106 PID 2336 wrote to memory of 548 2336 cmd.exe 107 PID 2336 wrote to memory of 548 2336 cmd.exe 107 PID 2336 wrote to memory of 2292 2336 cmd.exe 84 PID 2336 wrote to memory of 2292 2336 cmd.exe 84 PID 2336 wrote to memory of 4308 2336 cmd.exe 85 PID 2336 wrote to memory of 4308 2336 cmd.exe 85 PID 2336 wrote to memory of 3008 2336 cmd.exe 88 PID 2336 wrote to memory of 3008 2336 cmd.exe 88 PID 3008 wrote to memory of 1804 3008 cmd.exe 89 PID 3008 wrote to memory of 1804 3008 cmd.exe 89 PID 3008 wrote to memory of 2052 3008 cmd.exe 91 PID 3008 wrote to memory of 2052 3008 cmd.exe 91 PID 2336 wrote to memory of 5040 2336 cmd.exe 94 PID 2336 wrote to memory of 5040 2336 cmd.exe 94 PID 2336 wrote to memory of 4472 2336 cmd.exe 95 PID 2336 wrote to memory of 4472 2336 cmd.exe 95 PID 2336 wrote to memory of 2156 2336 cmd.exe 96 PID 2336 wrote to memory of 2156 2336 cmd.exe 96 PID 2336 wrote to memory of 1652 2336 cmd.exe 97 PID 2336 wrote to memory of 1652 2336 cmd.exe 97 PID 2336 wrote to memory of 2024 2336 cmd.exe 98 PID 2336 wrote to memory of 2024 2336 cmd.exe 98 PID 2024 wrote to memory of 2004 2024 cmd.exe 99 PID 2024 wrote to memory of 2004 2024 cmd.exe 99 PID 2024 wrote to memory of 1872 2024 cmd.exe 100 PID 2024 wrote to memory of 1872 2024 cmd.exe 100 PID 2336 wrote to memory of 2148 2336 cmd.exe 101 PID 2336 wrote to memory of 2148 2336 cmd.exe 101
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Beasty Cracked\BNY DUMPED\8fzqf7r.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\certutil.exeCERTUTIL -f -decode "C:\Users\Admin\AppData\Local\Temp\Beasty Cracked\BNY DUMPED\8fzqf7r.bat" "C:\Users\Admin\AppData\Local\Temp\24433.cmd"2⤵PID:2292
-
-
C:\Windows\system32\getmac.exegetmac2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:2052
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:5040
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:4472
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:2156
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d CE80F7433E94 /f2⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:1872
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:2148
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:1800
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:4008
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:1400
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable2⤵PID:548
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:2204
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5875a54f511baf4bc25c5cc2e4d56c1a0
SHA157bb04b6bb812f5bdff40a5bc324a17771145918
SHA256d80a0db16a6a3ba969ead9957c04e3ca6cdb05dbdea48d0cb49269c8e24867e1
SHA5128600c555a7c995076d7d71903b3fb6494e9c8f5c1cb49aaabec92200a4e8e2fb4f30fb8aa85e214e7a4b9a7c04453e821097ee873d0383d6b1a40719b59f470c