Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
pcKill.bat
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
pcKill.bat
Resource
win10v2004-20240611-en
windows10-2004-x64
5 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
pcKill.bat
-
Size
352B
-
MD5
41a963b08e8d643bf59a11491ff54b89
-
SHA1
a196bfa5e60eb75e484c6699cca2f38e5aeb17b2
-
SHA256
bc32c45844e9b6b9ce238f7887fa93f2600a9201542d369b7265766b37482be9
-
SHA512
6f91ad42f2f84b33676a3840e6a555022baa708afc40bb7a94947e4736df116f511008d265e12e99e1d24fffacac94e8058a46eccd2310ced60c22ab99da7a1b
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 3336 bcdedit.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3964 WMIC.exe Token: SeSecurityPrivilege 3964 WMIC.exe Token: SeTakeOwnershipPrivilege 3964 WMIC.exe Token: SeLoadDriverPrivilege 3964 WMIC.exe Token: SeSystemProfilePrivilege 3964 WMIC.exe Token: SeSystemtimePrivilege 3964 WMIC.exe Token: SeProfSingleProcessPrivilege 3964 WMIC.exe Token: SeIncBasePriorityPrivilege 3964 WMIC.exe Token: SeCreatePagefilePrivilege 3964 WMIC.exe Token: SeBackupPrivilege 3964 WMIC.exe Token: SeRestorePrivilege 3964 WMIC.exe Token: SeShutdownPrivilege 3964 WMIC.exe Token: SeDebugPrivilege 3964 WMIC.exe Token: SeSystemEnvironmentPrivilege 3964 WMIC.exe Token: SeRemoteShutdownPrivilege 3964 WMIC.exe Token: SeUndockPrivilege 3964 WMIC.exe Token: SeManageVolumePrivilege 3964 WMIC.exe Token: 33 3964 WMIC.exe Token: 34 3964 WMIC.exe Token: 35 3964 WMIC.exe Token: 36 3964 WMIC.exe Token: SeIncreaseQuotaPrivilege 3964 WMIC.exe Token: SeSecurityPrivilege 3964 WMIC.exe Token: SeTakeOwnershipPrivilege 3964 WMIC.exe Token: SeLoadDriverPrivilege 3964 WMIC.exe Token: SeSystemProfilePrivilege 3964 WMIC.exe Token: SeSystemtimePrivilege 3964 WMIC.exe Token: SeProfSingleProcessPrivilege 3964 WMIC.exe Token: SeIncBasePriorityPrivilege 3964 WMIC.exe Token: SeCreatePagefilePrivilege 3964 WMIC.exe Token: SeBackupPrivilege 3964 WMIC.exe Token: SeRestorePrivilege 3964 WMIC.exe Token: SeShutdownPrivilege 3964 WMIC.exe Token: SeDebugPrivilege 3964 WMIC.exe Token: SeSystemEnvironmentPrivilege 3964 WMIC.exe Token: SeRemoteShutdownPrivilege 3964 WMIC.exe Token: SeUndockPrivilege 3964 WMIC.exe Token: SeManageVolumePrivilege 3964 WMIC.exe Token: 33 3964 WMIC.exe Token: 34 3964 WMIC.exe Token: 35 3964 WMIC.exe Token: 36 3964 WMIC.exe Token: SeShutdownPrivilege 456 shutdown.exe Token: SeRemoteShutdownPrivilege 456 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3620 LogonUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4740 wrote to memory of 2240 4740 cmd.exe 84 PID 4740 wrote to memory of 2240 4740 cmd.exe 84 PID 2240 wrote to memory of 3964 2240 cmd.exe 85 PID 2240 wrote to memory of 3964 2240 cmd.exe 85 PID 4740 wrote to memory of 3336 4740 cmd.exe 87 PID 4740 wrote to memory of 3336 4740 cmd.exe 87 PID 4740 wrote to memory of 456 4740 cmd.exe 88 PID 4740 wrote to memory of 456 4740 cmd.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pcKill.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize2⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\Wbem\WMIC.exewmic os get TotalVisibleMemorySize3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set removememory 41937442⤵
- Modifies boot configuration data using bcdedit
PID:3336
-
-
C:\Windows\system32\shutdown.exeshutdown /r2⤵
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3620