Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/10/2024, 19:03
Behavioral task
behavioral1
Sample
discord_youtube.bat
Resource
win11-20241007-en
General
-
Target
discord_youtube.bat
-
Size
866B
-
MD5
fb41e984a0f58a55d057b062059a6ee1
-
SHA1
7bd17cddd02464e0ac4de1201fac889bd229bb1d
-
SHA256
2c8c88df4eaf172e0ef39b4d6adedc3aa9d3ad04d3767cde8cadf997606144be
-
SHA512
b8d488c5b92aa79a522376e4d4192c9c8fc822e66111324516552897ec68e9c00c5731295a49cedae97154dd5fffe40f7053dd224a93591c1d0138035c9d61ec
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/4024-1-0x00007FFCF76D0000-0x00007FFCF79E2000-memory.dmp upx behavioral1/memory/4024-5-0x00007FFCF76D0000-0x00007FFCF79E2000-memory.dmp upx -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3116 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 4024 winws.exe Token: SeBackupPrivilege 4024 winws.exe Token: SeDebugPrivilege 4024 winws.exe Token: SeDebugPrivilege 3116 taskmgr.exe Token: SeSystemProfilePrivilege 3116 taskmgr.exe Token: SeCreateGlobalPrivilege 3116 taskmgr.exe Token: 33 3116 taskmgr.exe Token: SeIncBasePriorityPrivilege 3116 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe 3116 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3476 wrote to memory of 244 3476 cmd.exe 81 PID 3476 wrote to memory of 244 3476 cmd.exe 81 PID 3476 wrote to memory of 4024 3476 cmd.exe 82 PID 3476 wrote to memory of 4024 3476 cmd.exe 82
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord_youtube.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:244
-
-
C:\Users\Admin\AppData\Local\Temp\bin\winws.exe"C:\Users\Admin\AppData\Local\Temp\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="list-general.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\bin\quic_initial_www_google_com.bin" --new --filter-tcp=80 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new --filter-tcp=443 --hostlist="list-general.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\bin\tls_clienthello_www_google_com.bin"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:4724
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3116
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2c977b03-1a5f-4c3d-a626-46d3c5ddda6f.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3