Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
447s -
max time network
1168s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/09/2024, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
robux.bat
Resource
win11-20240802-en
3 signatures
1800 seconds
General
-
Target
robux.bat
-
Size
275B
-
MD5
2755ddff80a52ce0f898dd86d2e0c386
-
SHA1
1507f5f1f593ef9f658922b3346ffc8ee550937c
-
SHA256
b35cb19f790d4ab3b8218ac1ff839fb021916a00d0cb6884eeb82c899b8dd5ed
-
SHA512
2903bc0f38128edcd52576f67b1ce481ec7e341b8916697a3a041ee918c3eb8c2ada0cb2078301db8cfd90edde8aa1b1425432d23db2cffcbaf9f690fe26407e
Score
1/10
Malware Config
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 72 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3924 WMIC.exe Token: SeSecurityPrivilege 3924 WMIC.exe Token: SeTakeOwnershipPrivilege 3924 WMIC.exe Token: SeLoadDriverPrivilege 3924 WMIC.exe Token: SeSystemProfilePrivilege 3924 WMIC.exe Token: SeSystemtimePrivilege 3924 WMIC.exe Token: SeProfSingleProcessPrivilege 3924 WMIC.exe Token: SeIncBasePriorityPrivilege 3924 WMIC.exe Token: SeCreatePagefilePrivilege 3924 WMIC.exe Token: SeBackupPrivilege 3924 WMIC.exe Token: SeRestorePrivilege 3924 WMIC.exe Token: SeShutdownPrivilege 3924 WMIC.exe Token: SeDebugPrivilege 3924 WMIC.exe Token: SeSystemEnvironmentPrivilege 3924 WMIC.exe Token: SeRemoteShutdownPrivilege 3924 WMIC.exe Token: SeUndockPrivilege 3924 WMIC.exe Token: SeManageVolumePrivilege 3924 WMIC.exe Token: 33 3924 WMIC.exe Token: 34 3924 WMIC.exe Token: 35 3924 WMIC.exe Token: 36 3924 WMIC.exe Token: SeIncreaseQuotaPrivilege 3924 WMIC.exe Token: SeSecurityPrivilege 3924 WMIC.exe Token: SeTakeOwnershipPrivilege 3924 WMIC.exe Token: SeLoadDriverPrivilege 3924 WMIC.exe Token: SeSystemProfilePrivilege 3924 WMIC.exe Token: SeSystemtimePrivilege 3924 WMIC.exe Token: SeProfSingleProcessPrivilege 3924 WMIC.exe Token: SeIncBasePriorityPrivilege 3924 WMIC.exe Token: SeCreatePagefilePrivilege 3924 WMIC.exe Token: SeBackupPrivilege 3924 WMIC.exe Token: SeRestorePrivilege 3924 WMIC.exe Token: SeShutdownPrivilege 3924 WMIC.exe Token: SeDebugPrivilege 3924 WMIC.exe Token: SeSystemEnvironmentPrivilege 3924 WMIC.exe Token: SeRemoteShutdownPrivilege 3924 WMIC.exe Token: SeUndockPrivilege 3924 WMIC.exe Token: SeManageVolumePrivilege 3924 WMIC.exe Token: 33 3924 WMIC.exe Token: 34 3924 WMIC.exe Token: 35 3924 WMIC.exe Token: 36 3924 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 884 wrote to memory of 4140 884 cmd.exe 79 PID 884 wrote to memory of 4140 884 cmd.exe 79 PID 4140 wrote to memory of 3924 4140 cmd.exe 80 PID 4140 wrote to memory of 3924 4140 cmd.exe 80
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\robux.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid /value2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1620
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hardware_id.txt1⤵
- Opens file in notepad (likely ransom note)
PID:72
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752