Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

UnBan Guid...er.url

windows7-x64

1

UnBan Guid...er.url

windows10-2004-x64

1

UnBan Guid...or.lnk

windows7-x64

3

UnBan Guid...or.lnk

windows10-2004-x64

7

UnBan Guid...or.url

windows7-x64

1

UnBan Guid...or.url

windows10-2004-x64

1

UnBan Guid...Ds.cmd

windows7-x64

1

UnBan Guid...Ds.cmd

windows10-2004-x64

1

UnBan Guid...Ds.cmd

windows7-x64

1

UnBan Guid...Ds.cmd

windows10-2004-x64

1

UnBan Guid...RU.exe

windows7-x64

1

UnBan Guid...RU.exe

windows10-2004-x64

1

UnBan Guid...ll.exe

windows7-x64

1

UnBan Guid...ll.exe

windows10-2004-x64

1

UnBan Guid...rt.exe

windows7-x64

4

UnBan Guid...rt.exe

windows10-2004-x64

5

UnBan Guid...64.exe

windows7-x64

4

UnBan Guid...64.exe

windows10-2004-x64

5

UnBan Guid...E).bat

windows7-x64

10

UnBan Guid...E).bat

windows10-2004-x64

8

UnBan Guid...er.bat

windows7-x64

1

UnBan Guid...er.bat

windows10-2004-x64

1

UnBan Guid...64.exe

windows7-x64

1

UnBan Guid...64.exe

windows10-2004-x64

1

UnBan Guid...64.sys

windows7-x64

1

UnBan Guid...64.sys

windows10-2004-x64

1

UnBan Guid...er.bat

windows7-x64

5

UnBan Guid...er.bat

windows10-2004-x64

UnBan Guid...ew.exe

windows7-x64

6

UnBan Guid...ew.exe

windows10-2004-x64

6

UnBan Guid...md.exe

windows7-x64

1

UnBan Guid...md.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    11s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UnBan Guide/step 6/1. Spoofer (RUN ME).bat

  • Size

    3KB

  • MD5

    f0b3b45759aca115f31f2aa16a942b6d

  • SHA1

    5b0dbbfee935549167f2c89bdf8877ec61fb403d

  • SHA256

    48ecb46f509169a6ab5a4c967fa8d9955b026478f3ab124c494b4eca1f79078b

  • SHA512

    4f2a480c531385da8bf761ebc6c82b82ba9e293e770558c353b931009ba9bf57af184bb5b8de3df23fb1e707c06d431e0ada447c92b04214f5d6c92b3173089d

Score
8/10
evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 56 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 11 IoCs
    evasion
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\1. Spoofer (RUN ME).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\system32\PING.EXE
      ping www.google.com -n 1
      2⤵
      • Runs ping.exe
      PID:3252
    • C:\Windows\system32\find.exe
      find "="
      2⤵
        PID:732
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat_Setup.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteLauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicWebHelper.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2136
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEService_x64.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4412
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3612
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Windows\system32\sc.exe
        sc stop BEService
        2⤵
        • Launches sc.exe
        PID:4920
      • C:\Windows\system32\sc.exe
        sc stop EasyAntiCheat
        2⤵
        • Launches sc.exe
        PID:5104
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "SWD\MS*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DeviceCleanupCmd.exe
        DeviceCleanupCmd.exe * -s
        2⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:1136
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DriveCleanup.exe
        DriveCleanup.exe
        2⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "C:\"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3220
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "F:\"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3548
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "C:\"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4728
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Disk drive*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Disk"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "disk"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1300
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Disk&*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4620
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1244
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "USBSTOR*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4388
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:408
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "STORAGE*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        PID:4400
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Motherboard*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2912
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Volume*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:4160
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Microsoft*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3208
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "System*" /use_wildcard
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:1856
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "ACPI\*" /use_wildcard
        2⤵
          PID:4264
        • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
          DevManView.exe /uninstall "Remote*" /use_wildcard
          2⤵
            PID:3588
          • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
            DevManView.exe /uninstall "Standard*" /use_wildcard
            2⤵
              PID:4000
            • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
              AMIDEWINx64.EXE /SU AUTO
              2⤵
                PID:4520
              • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                AMIDEWINx64.EXE /BS 28156256003123214025
                2⤵
                  PID:2324
                • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                  AMIDEWINx64.EXE /CS 3908306601974312906
                  2⤵
                    PID:4020
                  • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                    AMIDEWINx64.EXE /SS 23714289572200428044
                    2⤵
                      PID:1292
                    • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                      AMIDEWINx64.EXE /PSN 348633992901921480
                      2⤵
                        PID:4040
                      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                        AMIDEWINx64.EXE /IVN 616732629186626860
                        2⤵
                          PID:4536
                        • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                          AMIDEWINx64.EXE /IV 32727210143047121272
                          2⤵
                            PID:544
                          • C:\Windows\system32\taskkill.exe
                            TASKKILL /F /IM WmiPrvSE.exe
                            2⤵
                            • Kills process with taskkill
                            PID:2592
                          • C:\Windows\system32\taskkill.exe
                            TASKKILL /F /IM WmiPrvSE.exe
                            2⤵
                            • Kills process with taskkill
                            PID:2628
                          • C:\Windows\system32\PING.EXE
                            PING localhost -n 15
                            2⤵
                            • Runs ping.exe
                            PID:3468
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic diskdrive get serialnumber
                            2⤵
                              PID:1568
                            • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\devcon.exe
                              devcon rescan
                              2⤵
                                PID:3524
                              • C:\Windows\system32\PING.EXE
                                ping www.google.com -n 1
                                2⤵
                                • Runs ping.exe
                                PID:584
                              • C:\Windows\system32\find.exe
                                find "="
                                2⤵
                                  PID:472
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /K "MAC_change.bat"
                                  2⤵
                                    PID:1824
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
                                      3⤵
                                        PID:1904
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic nic where physicaladapter=true get deviceid
                                          4⤵
                                            PID:2388
                                          • C:\Windows\system32\findstr.exe
                                            findstr [0-9]
                                            4⤵
                                              PID:1472
                                          • C:\Windows\system32\reg.exe
                                            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
                                            3⤵
                                              PID:4628
                                            • C:\Windows\system32\reg.exe
                                              REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
                                              3⤵
                                                PID:4648
                                              • C:\Windows\system32\reg.exe
                                                REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
                                                3⤵
                                                  PID:4644
                                                • C:\Windows\system32\reg.exe
                                                  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1EFF6A691507 /f
                                                  3⤵
                                                    PID:5008
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
                                                    3⤵
                                                      PID:748
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic nic where physicaladapter=true get deviceid
                                                        4⤵
                                                          PID:1092
                                                        • C:\Windows\system32\findstr.exe
                                                          findstr [0-9]
                                                          4⤵
                                                            PID:4264
                                                        • C:\Windows\system32\reg.exe
                                                          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
                                                          3⤵
                                                            PID:3160
                                                          • C:\Windows\system32\reg.exe
                                                            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
                                                            3⤵
                                                              PID:4016
                                                            • C:\Windows\system32\reg.exe
                                                              REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
                                                              3⤵
                                                                PID:2468
                                                              • C:\Windows\system32\reg.exe
                                                                REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
                                                                3⤵
                                                                  PID:4756
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
                                                                  3⤵
                                                                    PID:4000
                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
                                                                      4⤵
                                                                        PID:4520
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh interface set interface name="Ethernet" disable
                                                                      3⤵
                                                                        PID:4012
                                                                  • C:\Windows\system32\AUDIODG.EXE
                                                                    C:\Windows\system32\AUDIODG.EXE 0x444 0x49c
                                                                    1⤵
                                                                      PID:3716
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                                                      1⤵
                                                                        PID:3156

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads