Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    11s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 16:16 UTC

General

  • Target

    UnBan Guide/step 6/1. Spoofer (RUN ME).bat

  • Size

    3KB

  • MD5

    f0b3b45759aca115f31f2aa16a942b6d

  • SHA1

    5b0dbbfee935549167f2c89bdf8877ec61fb403d

  • SHA256

    48ecb46f509169a6ab5a4c967fa8d9955b026478f3ab124c494b4eca1f79078b

  • SHA512

    4f2a480c531385da8bf761ebc6c82b82ba9e293e770558c353b931009ba9bf57af184bb5b8de3df23fb1e707c06d431e0ada447c92b04214f5d6c92b3173089d

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 56 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 11 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\1. Spoofer (RUN ME).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\system32\PING.EXE
      ping www.google.com -n 1
      2⤵
      • Runs ping.exe
      PID:3252
    • C:\Windows\system32\find.exe
      find "="
      2⤵
        PID:732
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat_Setup.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4764
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteLauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicWebHelper.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2136
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEService_x64.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4412
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3612
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Windows\system32\sc.exe
        sc stop BEService
        2⤵
        • Launches sc.exe
        PID:4920
      • C:\Windows\system32\sc.exe
        sc stop EasyAntiCheat
        2⤵
        • Launches sc.exe
        PID:5104
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "SWD\MS*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DeviceCleanupCmd.exe
        DeviceCleanupCmd.exe * -s
        2⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:1136
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DriveCleanup.exe
        DriveCleanup.exe
        2⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "C:\"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3220
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "F:\"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3548
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "C:\"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4728
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Disk drive*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Disk"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "disk"
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1300
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Disk&*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4620
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1244
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "USBSTOR*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4388
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:408
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "STORAGE*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        PID:4400
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Motherboard*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2912
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Volume*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:4160
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "Microsoft*" /use_wildcard
        2⤵
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:3208
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "System*" /use_wildcard
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:1856
      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
        DevManView.exe /uninstall "ACPI\*" /use_wildcard
        2⤵
          PID:4264
        • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
          DevManView.exe /uninstall "Remote*" /use_wildcard
          2⤵
            PID:3588
          • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\DevManView.exe
            DevManView.exe /uninstall "Standard*" /use_wildcard
            2⤵
              PID:4000
            • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
              AMIDEWINx64.EXE /SU AUTO
              2⤵
                PID:4520
              • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                AMIDEWINx64.EXE /BS 28156256003123214025
                2⤵
                  PID:2324
                • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                  AMIDEWINx64.EXE /CS 3908306601974312906
                  2⤵
                    PID:4020
                  • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                    AMIDEWINx64.EXE /SS 23714289572200428044
                    2⤵
                      PID:1292
                    • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                      AMIDEWINx64.EXE /PSN 348633992901921480
                      2⤵
                        PID:4040
                      • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                        AMIDEWINx64.EXE /IVN 616732629186626860
                        2⤵
                          PID:4536
                        • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
                          AMIDEWINx64.EXE /IV 32727210143047121272
                          2⤵
                            PID:544
                          • C:\Windows\system32\taskkill.exe
                            TASKKILL /F /IM WmiPrvSE.exe
                            2⤵
                            • Kills process with taskkill
                            PID:2592
                          • C:\Windows\system32\taskkill.exe
                            TASKKILL /F /IM WmiPrvSE.exe
                            2⤵
                            • Kills process with taskkill
                            PID:2628
                          • C:\Windows\system32\PING.EXE
                            PING localhost -n 15
                            2⤵
                            • Runs ping.exe
                            PID:3468
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic diskdrive get serialnumber
                            2⤵
                              PID:1568
                            • C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\devcon.exe
                              devcon rescan
                              2⤵
                                PID:3524
                              • C:\Windows\system32\PING.EXE
                                ping www.google.com -n 1
                                2⤵
                                • Runs ping.exe
                                PID:584
                              • C:\Windows\system32\find.exe
                                find "="
                                2⤵
                                  PID:472
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /K "MAC_change.bat"
                                  2⤵
                                    PID:1824
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
                                      3⤵
                                        PID:1904
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic nic where physicaladapter=true get deviceid
                                          4⤵
                                            PID:2388
                                          • C:\Windows\system32\findstr.exe
                                            findstr [0-9]
                                            4⤵
                                              PID:1472
                                          • C:\Windows\system32\reg.exe
                                            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
                                            3⤵
                                              PID:4628
                                            • C:\Windows\system32\reg.exe
                                              REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
                                              3⤵
                                                PID:4648
                                              • C:\Windows\system32\reg.exe
                                                REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
                                                3⤵
                                                  PID:4644
                                                • C:\Windows\system32\reg.exe
                                                  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1EFF6A691507 /f
                                                  3⤵
                                                    PID:5008
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
                                                    3⤵
                                                      PID:748
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic nic where physicaladapter=true get deviceid
                                                        4⤵
                                                          PID:1092
                                                        • C:\Windows\system32\findstr.exe
                                                          findstr [0-9]
                                                          4⤵
                                                            PID:4264
                                                        • C:\Windows\system32\reg.exe
                                                          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
                                                          3⤵
                                                            PID:3160
                                                          • C:\Windows\system32\reg.exe
                                                            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
                                                            3⤵
                                                              PID:4016
                                                            • C:\Windows\system32\reg.exe
                                                              REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
                                                              3⤵
                                                                PID:2468
                                                              • C:\Windows\system32\reg.exe
                                                                REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
                                                                3⤵
                                                                  PID:4756
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
                                                                  3⤵
                                                                    PID:4000
                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                      wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
                                                                      4⤵
                                                                        PID:4520
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh interface set interface name="Ethernet" disable
                                                                      3⤵
                                                                        PID:4012
                                                                  • C:\Windows\system32\AUDIODG.EXE
                                                                    C:\Windows\system32\AUDIODG.EXE 0x444 0x49c
                                                                    1⤵
                                                                      PID:3716
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                                                      1⤵
                                                                        PID:3156

                                                                      Network

                                                                      • flag-us
                                                                        DNS
                                                                        www.google.com
                                                                        PING.EXE
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        www.google.com
                                                                        IN A
                                                                        Response
                                                                        www.google.com
                                                                        IN A
                                                                        142.250.187.196
                                                                      • flag-us
                                                                        DNS
                                                                        8.8.8.8.in-addr.arpa
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        8.8.8.8.in-addr.arpa
                                                                        IN PTR
                                                                        Response
                                                                        8.8.8.8.in-addr.arpa
                                                                        IN PTR
                                                                        dnsgoogle
                                                                      • flag-us
                                                                        DNS
                                                                        58.55.71.13.in-addr.arpa
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        58.55.71.13.in-addr.arpa
                                                                        IN PTR
                                                                        Response
                                                                      • flag-us
                                                                        DNS
                                                                        82.90.14.23.in-addr.arpa
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        82.90.14.23.in-addr.arpa
                                                                        IN PTR
                                                                        Response
                                                                        82.90.14.23.in-addr.arpa
                                                                        IN PTR
                                                                        a23-14-90-82deploystaticakamaitechnologiescom
                                                                      • flag-us
                                                                        DNS
                                                                        0.159.190.20.in-addr.arpa
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        0.159.190.20.in-addr.arpa
                                                                        IN PTR
                                                                        Response
                                                                      • flag-us
                                                                        DNS
                                                                        104.219.191.52.in-addr.arpa
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        104.219.191.52.in-addr.arpa
                                                                        IN PTR
                                                                        Response
                                                                      • flag-us
                                                                        DNS
                                                                        164.189.21.2.in-addr.arpa
                                                                        Remote address:
                                                                        8.8.8.8:53
                                                                        Request
                                                                        164.189.21.2.in-addr.arpa
                                                                        IN PTR
                                                                        Response
                                                                        164.189.21.2.in-addr.arpa
                                                                        IN PTR
                                                                        a2-21-189-164deploystaticakamaitechnologiescom
                                                                      No results found
                                                                      • 8.8.8.8:53
                                                                        www.google.com
                                                                        dns
                                                                        PING.EXE
                                                                        60 B
                                                                        76 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        www.google.com

                                                                        DNS Response

                                                                        142.250.187.196

                                                                      • 8.8.8.8:53
                                                                        8.8.8.8.in-addr.arpa
                                                                        dns
                                                                        66 B
                                                                        90 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        8.8.8.8.in-addr.arpa

                                                                      • 8.8.8.8:53
                                                                        58.55.71.13.in-addr.arpa
                                                                        dns
                                                                        70 B
                                                                        144 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        58.55.71.13.in-addr.arpa

                                                                      • 8.8.8.8:53
                                                                        82.90.14.23.in-addr.arpa
                                                                        dns
                                                                        70 B
                                                                        133 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        82.90.14.23.in-addr.arpa

                                                                      • 8.8.8.8:53
                                                                        0.159.190.20.in-addr.arpa
                                                                        dns
                                                                        71 B
                                                                        157 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        0.159.190.20.in-addr.arpa

                                                                      • 8.8.8.8:53
                                                                        104.219.191.52.in-addr.arpa
                                                                        dns
                                                                        73 B
                                                                        147 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        104.219.191.52.in-addr.arpa

                                                                      • 8.8.8.8:53
                                                                        164.189.21.2.in-addr.arpa
                                                                        dns
                                                                        71 B
                                                                        135 B
                                                                        1
                                                                        1

                                                                        DNS Request

                                                                        164.189.21.2.in-addr.arpa

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      We care about your privacy.

                                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.