Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
280s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
skibid.bat
Resource
win10-20240404-en
0 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
skibid.bat
-
Size
31B
-
MD5
169187727fe503d0dc4426d53b63e1a5
-
SHA1
13aae468689111e1bbbd62ee22097492a8e62aa3
-
SHA256
159e4a62805f9dfb88e4976c10f0293b262b96ea1a5728d468159e131616c733
-
SHA512
8e26c1dbe4a030304649e7bd1527a4943107d10acdc079388dce4c5d70c848af73e7830250dfb5aaf5373eb4bce5eccf7cc9a2d3f253bbc04bbb2d90cd1965c9
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
pid Process 3636 takeown.exe 3732 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 3636 takeown.exe 3732 icacls.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3636 takeown.exe Token: 33 3312 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3312 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4892 LogonUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3284 wrote to memory of 3636 3284 cmd.exe 100 PID 3284 wrote to memory of 3636 3284 cmd.exe 100 PID 3284 wrote to memory of 3732 3284 cmd.exe 102 PID 3284 wrote to memory of 3732 3284 cmd.exe 102 PID 3284 wrote to memory of 2432 3284 cmd.exe 103 PID 3284 wrote to memory of 2432 3284 cmd.exe 103
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\skibid.bat"1⤵PID:3624
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\hal.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\hal.dll /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3732
-
-
C:\Windows\system32\sfc.exesfc /offbootdir=c\/offwindir=c\windows2⤵PID:2432
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3948855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4892