Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
10/04/2023, 11:20
General
-
Target
Archive.710279869.vbs
-
Size
18KB
-
MD5
e46c2a754c636b4c95c23760d72d2688
-
SHA1
efd544914bcd66eecad3ec8c657f496ebc6b0c02
-
SHA256
e2657715d8d2731cc784a82d87eee39115a66e0dd0a4a6093b24ee35c37ef170
-
SHA512
5b069b4eeebbc52580afc51799cd3a86ddb3d747475b3fae56ec692d4d86ce896d2ed6a6961e8becec2e4711c97dd33223c3c0529f67fe9a5cad2b3b56b564ea
-
SSDEEP
192:53JExmMuIYYz8YDyJZ3Z2yxekdfQY2fGV4:bEzuIYYz8YDeZp2yxekdXV4
Malware Config
Signatures
-
Detects Grandoreiro payload 4 IoCs
-
Grandoreiro
Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Archive.710279869.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\techmaster4\FindSpace.exe"C:\techmaster4\FindSpace.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.8MB
MD51aed29b0be5a4cb6baf8340ee6b54cb4
SHA18892456e9224ea78fc522a25b8aa41b0e8a7c379
SHA2565c98dd24b48b981b5c2dec205e7d112ddabb3aa301c0ce6541c6ce98c76dffba
SHA51278ea3bd858045201c4b4a36592e35fb1839b050985c69ffb8ac213492094c87e382dcec56be5703494f40806b61be4fc130f647614cc36051c8ab3b5e8cea697
-
Filesize
2.2MB
MD5b5485d229f8078575d639fb903b4fca7
SHA16a67a6bb694df592819d398a645504b2c7a2221c
SHA2569625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA5125d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
Filesize
2.2MB
MD5b5485d229f8078575d639fb903b4fca7
SHA16a67a6bb694df592819d398a645504b2c7a2221c
SHA2569625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA5125d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
Filesize
2.2MB
MD5b5485d229f8078575d639fb903b4fca7
SHA16a67a6bb694df592819d398a645504b2c7a2221c
SHA2569625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782
SHA5125d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
13.0MB
MD587c7411e05ff159a3707869adc9d5c01
SHA1d147cfdc5d2ea979aa757423a0a22577c45acbe1
SHA256207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7
SHA512a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922
-
Filesize
16.7MB
MD5cdb42cfc978a5e3d820c5c55a9bfa1ef
SHA12ca8a78a6ebaf0e1d620f18c45a00ee6de055e8d
SHA256fedead294278a94610da46067f2729dae14cf69d8903a806caa8a1542d454bff
SHA5127488162352556196a6f3ba5bc719fec8fbfbe30b68a68f5d80b38eb03a9158b415a74442b79e9107abc93b8497ceab3e170b46c03dbc6ce7506abea21b260f2a
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
13.0MB
MD587c7411e05ff159a3707869adc9d5c01
SHA1d147cfdc5d2ea979aa757423a0a22577c45acbe1
SHA256207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7
SHA512a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922
-
Filesize
16.7MB
MD5cdb42cfc978a5e3d820c5c55a9bfa1ef
SHA12ca8a78a6ebaf0e1d620f18c45a00ee6de055e8d
SHA256fedead294278a94610da46067f2729dae14cf69d8903a806caa8a1542d454bff
SHA5127488162352556196a6f3ba5bc719fec8fbfbe30b68a68f5d80b38eb03a9158b415a74442b79e9107abc93b8497ceab3e170b46c03dbc6ce7506abea21b260f2a
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB