Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Archive.710279869.vbs

windows7-x64

10

Archive.710279869.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2023, 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Archive.710279869.vbs

  • Size

    18KB

  • MD5

    e46c2a754c636b4c95c23760d72d2688

  • SHA1

    efd544914bcd66eecad3ec8c657f496ebc6b0c02

  • SHA256

    e2657715d8d2731cc784a82d87eee39115a66e0dd0a4a6093b24ee35c37ef170

  • SHA512

    5b069b4eeebbc52580afc51799cd3a86ddb3d747475b3fae56ec692d4d86ce896d2ed6a6961e8becec2e4711c97dd33223c3c0529f67fe9a5cad2b3b56b564ea

  • SSDEEP

    192:53JExmMuIYYz8YDyJZ3Z2yxekdfQY2fGV4:bEzuIYYz8YDeZp2yxekdXV4

Score
10/10
grandoreirobankerpersistencetrojan

Malware Config

Signatures

  • Detects Grandoreiro payload 5 IoCs
  • Grandoreiro

    Part of a group of banking trojans, targeting Spanish and Portuguese speaking countries.

    trojanbankergrandoreiro
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Archive.710279869.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\techmaster4\FindSpace.exe
      "C:\techmaster4\FindSpace.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\techmaster4\FindSpace.exe
    Filesize

    2.2MB

    MD5

    b5485d229f8078575d639fb903b4fca7

    SHA1

    6a67a6bb694df592819d398a645504b2c7a2221c

    SHA256

    9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

    SHA512

    5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

    Download Submit

  • C:\techmaster4\FindSpace.exe
    Filesize

    2.2MB

    MD5

    b5485d229f8078575d639fb903b4fca7

    SHA1

    6a67a6bb694df592819d398a645504b2c7a2221c

    SHA256

    9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

    SHA512

    5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

    Download Submit

  • C:\techmaster4\FindSpace.exe
    Filesize

    2.2MB

    MD5

    b5485d229f8078575d639fb903b4fca7

    SHA1

    6a67a6bb694df592819d398a645504b2c7a2221c

    SHA256

    9625e775e955281732270b7a0fc468bef83b468be85e82e0659973aefa369782

    SHA512

    5d54f343b986d33c3e7de1450d8b6386bac66a9aeb8a77b0a81652cf2592e8f85847185d6e09e8c486a224bf21eb195308be1f489bbac615bf99d5fc760d85f8

    Download Submit

  • C:\techmaster4\Test.Zip
    Filesize

    16.8MB

    MD5

    1aed29b0be5a4cb6baf8340ee6b54cb4

    SHA1

    8892456e9224ea78fc522a25b8aa41b0e8a7c379

    SHA256

    5c98dd24b48b981b5c2dec205e7d112ddabb3aa301c0ce6541c6ce98c76dffba

    SHA512

    78ea3bd858045201c4b4a36592e35fb1839b050985c69ffb8ac213492094c87e382dcec56be5703494f40806b61be4fc130f647614cc36051c8ab3b5e8cea697

    Download Submit

  • C:\techmaster4\dbghelp.dll
    Filesize

    1.2MB

    MD5

    4003e34416ebd25e4c115d49dc15e1a7

    SHA1

    faf95ec65cde5bd833ce610bb8523363310ec4ad

    SHA256

    c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

    SHA512

    88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

    Download Submit

  • C:\techmaster4\dbghelp.dll
    Filesize

    1.2MB

    MD5

    4003e34416ebd25e4c115d49dc15e1a7

    SHA1

    faf95ec65cde5bd833ce610bb8523363310ec4ad

    SHA256

    c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

    SHA512

    88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

    Download Submit

  • C:\techmaster4\uires.dll
    Filesize

    13.0MB

    MD5

    87c7411e05ff159a3707869adc9d5c01

    SHA1

    d147cfdc5d2ea979aa757423a0a22577c45acbe1

    SHA256

    207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

    SHA512

    a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

    Download Submit

  • C:\techmaster4\uires.dll
    Filesize

    13.0MB

    MD5

    87c7411e05ff159a3707869adc9d5c01

    SHA1

    d147cfdc5d2ea979aa757423a0a22577c45acbe1

    SHA256

    207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

    SHA512

    a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

    Download Submit

  • C:\techmaster4\uires.dll
    Filesize

    13.0MB

    MD5

    87c7411e05ff159a3707869adc9d5c01

    SHA1

    d147cfdc5d2ea979aa757423a0a22577c45acbe1

    SHA256

    207d66dae08ca39065019355802604768b213ed2817e78bea128f136784af6a7

    SHA512

    a5a22ed12fa2ea7d343fa38e527fab8735924e350dd138b72e2bec4417825b8bab52e6814ced320f67030fa3a0b88afd7a50ac1714476f40d9ec54c33acae922

    Download Submit

  • C:\techmaster4\zlibai.dll
    Filesize

    16.7MB

    MD5

    cdb42cfc978a5e3d820c5c55a9bfa1ef

    SHA1

    2ca8a78a6ebaf0e1d620f18c45a00ee6de055e8d

    SHA256

    fedead294278a94610da46067f2729dae14cf69d8903a806caa8a1542d454bff

    SHA512

    7488162352556196a6f3ba5bc719fec8fbfbe30b68a68f5d80b38eb03a9158b415a74442b79e9107abc93b8497ceab3e170b46c03dbc6ce7506abea21b260f2a

    Download Submit

  • C:\techmaster4\zlibai.dll
    Filesize

    16.7MB

    MD5

    cdb42cfc978a5e3d820c5c55a9bfa1ef

    SHA1

    2ca8a78a6ebaf0e1d620f18c45a00ee6de055e8d

    SHA256

    fedead294278a94610da46067f2729dae14cf69d8903a806caa8a1542d454bff

    SHA512

    7488162352556196a6f3ba5bc719fec8fbfbe30b68a68f5d80b38eb03a9158b415a74442b79e9107abc93b8497ceab3e170b46c03dbc6ce7506abea21b260f2a

    Download Submit

  • C:\techmaster4\zlibai.dll
    Filesize

    16.7MB

    MD5

    cdb42cfc978a5e3d820c5c55a9bfa1ef

    SHA1

    2ca8a78a6ebaf0e1d620f18c45a00ee6de055e8d

    SHA256

    fedead294278a94610da46067f2729dae14cf69d8903a806caa8a1542d454bff

    SHA512

    7488162352556196a6f3ba5bc719fec8fbfbe30b68a68f5d80b38eb03a9158b415a74442b79e9107abc93b8497ceab3e170b46c03dbc6ce7506abea21b260f2a

    Download Submit

  • memory/4764-212-0x0000000004350000-0x0000000004351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-214-0x0000000004370000-0x0000000004371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-213-0x0000000004360000-0x0000000004361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-215-0x0000000004390000-0x0000000004391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-216-0x0000000001980000-0x0000000002A4C000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/4764-211-0x0000000004330000-0x0000000004331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-210-0x0000000002A60000-0x0000000002A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-207-0x0000000001980000-0x0000000002A4C000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/4764-220-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-222-0x00000000044C0000-0x00000000044C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-221-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-223-0x00000000044C0000-0x00000000044C1000-memory.dmp

    Filesize

    4KB

    Download