Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
16/09/2024, 00:20
240916-am1yrszfnp 727/08/2024, 02:41
240827-c6tpxa1amm 725/08/2024, 21:44
240825-1lgrlsycjn 7Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 21:44
Static task
static1
Behavioral task
behavioral1
Sample
instalar.bat
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
instalar.bat
Resource
win10v2004-20240802-en
General
-
Target
instalar.bat
-
Size
723B
-
MD5
703a2827ebab01c16b4f9b8f079a2fcd
-
SHA1
6ae6cbd62274a7cd56049838758332801e4650e1
-
SHA256
8410c88626348bdc1a9600458b2f2865427bec8fd6ac6b6320d9554afe41de61
-
SHA512
52f91b51108d6bdff7649ac77c406b95e609489482695cb147e4a22347b46013ce3563700adeb4be4637212d112db0b87397a14d26903c4e98e96a53fc9213f7
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\B: mstsc.exe File opened (read-only) \??\K: mstsc.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\W: mstsc.exe File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\X: mstsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters mstsc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\TSRedirFlags mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Device Parameters mstsc.exe Key security queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters mstsc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Device Parameters mstsc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2136 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2228 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2228 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe 2136 mstsc.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\instalar.bat"1⤵PID:5012
-
C:\Windows\system32\mstsc.exe"C:\Windows\system32\mstsc.exe"1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2136
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228