Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

main.bat

windows7-x64

1

main.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/09/2024, 20:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.bat

  • Size

    72KB

  • MD5

    35e015a9bcce22c31ba0fb364830c788

  • SHA1

    514cb5bbff59bb0c5aa92074cfa44ed061c3aafb

  • SHA256

    f08cd592c887920888cb0a18e754231b756e6c285a50511c26f4826dd1581978

  • SHA512

    ed48ecef95cd79b9f26de8523d1ae655310ad8b1684e9bbb24103943cb9fa919de826cf667d2f40d5b8cb9aeaef89aec8cdb86aeb957fe6037b4ee77b28a4668

  • SSDEEP

    768:IposY9qsaIZz+QK7ruEDHs2guEDHsaOmh82mnUjQxOn1TS6QBQg+mispepU:ICsYOBm9mnUk01SBQg+miU

Score
10/10
evasionexecutionpersistenceransomware

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Power Settings 1 TTPs 18 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\system32\chcp.com
      chcp 65001
      2⤵
        PID:2352
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
        2⤵
          PID:4536
        • C:\Windows\system32\reg.exe
          Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
          2⤵
            PID:824
          • C:\Windows\system32\reg.exe
            Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
            2⤵
              PID:2240
            • C:\Windows\system32\reg.exe
              Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
              2⤵
                PID:2064
              • C:\Windows\system32\reg.exe
                Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
                2⤵
                  PID:1752
                • C:\Windows\system32\reg.exe
                  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
                  2⤵
                    PID:4040
                  • C:\Windows\system32\reg.exe
                    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
                    2⤵
                      PID:3872
                    • C:\Windows\system32\reg.exe
                      Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f
                      2⤵
                      • Modifies registry key
                      PID:1564
                    • C:\Windows\system32\powercfg.exe
                      powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
                      2⤵
                      • Power Settings
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2316
                    • C:\Windows\system32\powercfg.exe
                      powercfg /setactive SCHEME_CURRENT
                      2⤵
                      • Power Settings
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5028
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set allowedinmemorysettings 0x0
                      2⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1204
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set isolatedcontext No
                      2⤵
                      • Modifies boot configuration data using bcdedit
                      PID:220
                    • C:\Windows\system32\reg.exe
                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
                      2⤵
                        PID:228
                      • C:\Windows\system32\reg.exe
                        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
                        2⤵
                          PID:1604
                        • C:\Windows\system32\reg.exe
                          Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
                          2⤵
                            PID:2220
                          • C:\Windows\system32\powercfg.exe
                            powercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4888
                          • C:\Windows\system32\powercfg.exe
                            powercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2412
                          • C:\Windows\system32\powercfg.exe
                            powercfg /setactive SCHEME_CURRENT
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:624
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMAX 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:788
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMAX 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3608
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3036
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1932
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setactive scheme_current
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:964
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setacvalueindex scheme_current sub_processor CPMAXCORES 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4796
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setdcvalueindex scheme_current sub_processor CPMAXCORES 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1064
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2096
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setdcvalueindex scheme_current sub_processor CPMINCORES 100
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2932
                          • C:\Windows\system32\powercfg.exe
                            powercfg -setactive scheme_current
                            2⤵
                            • Power Settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5096
                          • C:\Windows\system32\reg.exe
                            Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7" /v "Attributes" /t REG_DWORD /d 2 /f
                            2⤵
                              PID:3100
                            • C:\Windows\system32\powercfg.exe
                              powercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 0
                              2⤵
                              • Power Settings
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4912
                            • C:\Windows\system32\powercfg.exe
                              powercfg -setdcvalueindex scheme_current sub_processor PERFBOOSTMODE 0
                              2⤵
                              • Power Settings
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3324
                            • C:\Windows\system32\powercfg.exe
                              powercfg -setactive scheme_current
                              2⤵
                              • Power Settings
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4984
                            • C:\Windows\system32\reg.exe
                              Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
                              2⤵
                                PID:2456
                              • C:\Windows\system32\reg.exe
                                Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f
                                2⤵
                                  PID:2644
                                • C:\Windows\system32\reg.exe
                                  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f
                                  2⤵
                                    PID:2180
                                  • C:\Windows\system32\reg.exe
                                    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
                                    2⤵
                                      PID:4360
                                    • C:\Windows\system32\sc.exe
                                      sc config "DiagTrack" start= disabled
                                      2⤵
                                      • Launches sc.exe
                                      PID:3392
                                    • C:\Windows\system32\sc.exe
                                      sc config "SysMain" start= disabled
                                      2⤵
                                      • Launches sc.exe
                                      PID:5024
                                    • C:\Windows\system32\sc.exe
                                      sc config "WSearch" start= disabled
                                      2⤵
                                      • Launches sc.exe
                                      PID:3456
                                    • C:\Windows\system32\sc.exe
                                      sc config "Fax" start= disabled
                                      2⤵
                                      • Launches sc.exe
                                      PID:4060
                                    • C:\Windows\system32\sc.exe
                                      sc config "TabletInputService" start= disabled
                                      2⤵
                                      • Launches sc.exe
                                      PID:1364
                                    • C:\Windows\system32\sc.exe
                                      sc stop "DiagTrack"
                                      2⤵
                                      • Launches sc.exe
                                      PID:2280
                                    • C:\Windows\system32\sc.exe
                                      sc stop "SysMain"
                                      2⤵
                                      • Launches sc.exe
                                      PID:4160
                                    • C:\Windows\system32\sc.exe
                                      sc stop "WSearch"
                                      2⤵
                                      • Launches sc.exe
                                      PID:3276
                                    • C:\Windows\system32\sc.exe
                                      sc stop "Fax"
                                      2⤵
                                      • Launches sc.exe
                                      PID:1376
                                    • C:\Windows\system32\sc.exe
                                      sc stop "TabletInputService"
                                      2⤵
                                      • Launches sc.exe
                                      PID:1448
                                    • C:\Windows\system32\fsutil.exe
                                      fsutil behavior set DisableDeleteNotify 0
                                      2⤵
                                        PID:4384
                                      • C:\Windows\system32\reg.exe
                                        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d 1 /f
                                        2⤵
                                          PID:4432
                                        • C:\Windows\system32\reg.exe
                                          Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMemoryUsage" /t REG_DWORD /d 2 /f
                                          2⤵
                                            PID:532
                                          • C:\Windows\system32\reg.exe
                                            Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
                                            2⤵
                                              PID:608
                                            • C:\Windows\system32\reg.exe
                                              Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f
                                              2⤵
                                                PID:3448
                                              • C:\Windows\system32\reg.exe
                                                Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:380
                                                • C:\Windows\system32\reg.exe
                                                  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d 512 /f
                                                  2⤵
                                                    PID:4000
                                                  • C:\Windows\system32\timeout.exe
                                                    timeout /t 1 /nobreak
                                                    2⤵
                                                    • Delays execution with timeout.exe
                                                    PID:932
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
                                                    2⤵
                                                      PID:4396

                                                  Network

                                                  • flag-us
                                                    DNS
                                                    8.8.8.8.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    8.8.8.8.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                    8.8.8.8.in-addr.arpa
                                                    IN PTR
                                                    dnsgoogle
                                                  • flag-us
                                                    DNS
                                                    97.17.167.52.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    97.17.167.52.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    77.190.18.2.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    77.190.18.2.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                    77.190.18.2.in-addr.arpa
                                                    IN PTR
                                                    a2-18-190-77deploystaticakamaitechnologiescom
                                                  • flag-us
                                                    DNS
                                                    0.159.190.20.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    0.159.190.20.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    95.221.229.192.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    95.221.229.192.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    217.106.137.52.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    217.106.137.52.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    183.59.114.20.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    183.59.114.20.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    241.42.69.40.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    241.42.69.40.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    217.135.221.88.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    217.135.221.88.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                    217.135.221.88.in-addr.arpa
                                                    IN PTR
                                                    a88-221-135-217deploystaticakamaitechnologiescom
                                                  • flag-us
                                                    DNS
                                                    79.190.18.2.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    79.190.18.2.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                    79.190.18.2.in-addr.arpa
                                                    IN PTR
                                                    a2-18-190-79deploystaticakamaitechnologiescom
                                                  • flag-us
                                                    DNS
                                                    43.229.111.52.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    43.229.111.52.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  • flag-us
                                                    DNS
                                                    4.173.189.20.in-addr.arpa
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    4.173.189.20.in-addr.arpa
                                                    IN PTR
                                                    Response
                                                  No results found
                                                  • 8.8.8.8:53
                                                    8.8.8.8.in-addr.arpa
                                                    dns
                                                    66 B
                                                     90 B
                                                     1
                                                    1

                                                    DNS Request

                                                    8.8.8.8.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    97.17.167.52.in-addr.arpa
                                                    dns
                                                    71 B
                                                     145 B
                                                     1
                                                    1

                                                    DNS Request

                                                    97.17.167.52.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    77.190.18.2.in-addr.arpa
                                                    dns
                                                    70 B
                                                     133 B
                                                     1
                                                    1

                                                    DNS Request

                                                    77.190.18.2.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    0.159.190.20.in-addr.arpa
                                                    dns
                                                    71 B
                                                     157 B
                                                     1
                                                    1

                                                    DNS Request

                                                    0.159.190.20.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    95.221.229.192.in-addr.arpa
                                                    dns
                                                    73 B
                                                     144 B
                                                     1
                                                    1

                                                    DNS Request

                                                    95.221.229.192.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    217.106.137.52.in-addr.arpa
                                                    dns
                                                    73 B
                                                     147 B
                                                     1
                                                    1

                                                    DNS Request

                                                    217.106.137.52.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    183.59.114.20.in-addr.arpa
                                                    dns
                                                    72 B
                                                     158 B
                                                     1
                                                    1

                                                    DNS Request

                                                    183.59.114.20.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    241.42.69.40.in-addr.arpa
                                                    dns
                                                    71 B
                                                     145 B
                                                     1
                                                    1

                                                    DNS Request

                                                    241.42.69.40.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    217.135.221.88.in-addr.arpa
                                                    dns
                                                    73 B
                                                     139 B
                                                     1
                                                    1

                                                    DNS Request

                                                    217.135.221.88.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    79.190.18.2.in-addr.arpa
                                                    dns
                                                    70 B
                                                     133 B
                                                     1
                                                    1

                                                    DNS Request

                                                    79.190.18.2.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    43.229.111.52.in-addr.arpa
                                                    dns
                                                    72 B
                                                     158 B
                                                     1
                                                    1

                                                    DNS Request

                                                    43.229.111.52.in-addr.arpa

                                                  • 8.8.8.8:53
                                                    4.173.189.20.in-addr.arpa
                                                    dns
                                                    71 B
                                                     157 B
                                                     1
                                                    1

                                                    DNS Request

                                                    4.173.189.20.in-addr.arpa

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  We care about your privacy.

                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.