Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-de -
resource tags
arch:x64arch:x86image:win10v2004-20240802-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
10/08/2024, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
Fiveguard Unbann.bat
Resource
win7-20240704-de
Behavioral task
behavioral2
Sample
Fiveguard Unbann.bat
Resource
win10v2004-20240802-de
Errors
General
-
Target
Fiveguard Unbann.bat
-
Size
300B
-
MD5
c99aaf4692dc68596153459bb3b4d7ce
-
SHA1
e65fd8078e9fee850c687ae3a3a744a1c718577e
-
SHA256
2b5a678098388f333f5297af1dddf3dc8541b7f9f8244db63f654a04b3bcda09
-
SHA512
7ff36fdffe442646c9ed5675d54394e4473f6908a5315dd5ce5472bb74e5e89bf9c1d8521cecc46639e458d57a290f96c983cf6c91f992d6476c545c55ed1228
Malware Config
Signatures
-
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore reg.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58" LogonUI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2428 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4188 wrote to memory of 3564 4188 cmd.exe 87 PID 4188 wrote to memory of 3564 4188 cmd.exe 87
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fiveguard Unbann.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore" /f2⤵
- Modifies Internet Explorer settings
PID:3564
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3974855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
748KB
MD54ad4762c21e196667ef450cd67a4e624
SHA1586c197b9c384fdba5d58e8aace1f865f34f5dc6
SHA256b2b59f824c1b1c08625d75b75bf2014d0025a1ac388786e24ef50aa42ec6f84e
SHA5127a0de8b64354c067c0ced53d49317525d2f258fc11f189190ef3e409ced0c9f6c1f3e443ae9a45277309d9b198d4a5505eaf3d95eb0d1ac7e0abd523c13ac15b