Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28/03/2023, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-20230220-en
General
-
Target
vbc.exe
-
Size
812KB
-
MD5
4f57c474b77a208ee4d212894b3512d2
-
SHA1
41d369bc50e40fc80054e215d3b2ff44be10c08e
-
SHA256
abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159
-
SHA512
0d7efaba27a0564ed224edc0fba642e93676d3c2c561a58887ca925870bc09eb1dda9b9617428247761386aff630ad052a832f698b054d434b82456e80707d25
-
SSDEEP
24576:0EXVZ9a++LeZLGjl66eaCku6e4XCi/EJq9:330LDJUaCG1wJq
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 1148 vbc.exe 568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1148 vbc.exe Token: SeDebugPrivilege 568 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1148 wrote to memory of 568 1148 vbc.exe 28 PID 1148 wrote to memory of 568 1148 vbc.exe 28 PID 1148 wrote to memory of 568 1148 vbc.exe 28 PID 1148 wrote to memory of 568 1148 vbc.exe 28 PID 1148 wrote to memory of 1060 1148 vbc.exe 30 PID 1148 wrote to memory of 1060 1148 vbc.exe 30 PID 1148 wrote to memory of 1060 1148 vbc.exe 30 PID 1148 wrote to memory of 1060 1148 vbc.exe 30 PID 1148 wrote to memory of 1392 1148 vbc.exe 32 PID 1148 wrote to memory of 1392 1148 vbc.exe 32 PID 1148 wrote to memory of 1392 1148 vbc.exe 32 PID 1148 wrote to memory of 1392 1148 vbc.exe 32 PID 1148 wrote to memory of 768 1148 vbc.exe 33 PID 1148 wrote to memory of 768 1148 vbc.exe 33 PID 1148 wrote to memory of 768 1148 vbc.exe 33 PID 1148 wrote to memory of 768 1148 vbc.exe 33 PID 1148 wrote to memory of 892 1148 vbc.exe 34 PID 1148 wrote to memory of 892 1148 vbc.exe 34 PID 1148 wrote to memory of 892 1148 vbc.exe 34 PID 1148 wrote to memory of 892 1148 vbc.exe 34 PID 1148 wrote to memory of 1500 1148 vbc.exe 35 PID 1148 wrote to memory of 1500 1148 vbc.exe 35 PID 1148 wrote to memory of 1500 1148 vbc.exe 35 PID 1148 wrote to memory of 1500 1148 vbc.exe 35 PID 1148 wrote to memory of 1144 1148 vbc.exe 36 PID 1148 wrote to memory of 1144 1148 vbc.exe 36 PID 1148 wrote to memory of 1144 1148 vbc.exe 36 PID 1148 wrote to memory of 1144 1148 vbc.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\afVxDcSOLVQXKW.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\afVxDcSOLVQXKW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB45.tmp"2⤵
- Creates scheduled task(s)
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵PID:1144
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52fea1e8073b2b22aaf53feafdf68f88a
SHA16d728cee7b30725433bba793605c6f94a1aded68
SHA256f2ce03e0e3824cb892640307a5e7181bf7d835494997f716425a6bed76dac302
SHA512477155b89e2386e3550608ad1817b4e7b2158ca38ffe647ded0d5591d91df97b0fea5f119a8615e456ee353615e7a31109a185767d1df00fdd4fd53aa1508cbe