Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

SAT_DETALLES.jse

windows7-x64

8

SAT_DETALLES.jse

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18/05/2023, 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SAT_DETALLES.jse

  • Size

    1.5MB

  • MD5

    b80eda713d874833ce8602797f153b4b

  • SHA1

    999db62072ef9ae69682317824506125cd9e2666

  • SHA256

    2cfc5721ed7487d96518c4aec56c0e74b8c55254947b3fffd5b3ca18a1d41b0a

  • SHA512

    bd5743d6efbad0fd03d48635b09eeb74a200cd21f554cd27e59060ba4e73d613adfd66dec8e97a52dc718f14e7ce6e80bf47aab162c232bfad707ea2fdc44c97

  • SSDEEP

    24576:iUDGATVfH4T9bXCMw0OOUZZur9J32okgKEWW5RtZIxlMHcwSAZZGIywUAFP4Rp7x:nxk9OMw0O9ZurawjtZMwLUGou3vxLe

Score
8/10
collectionspywarestealer

Malware Config

Signatures

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SAT_DETALLES.jse"
    1⤵
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode -f "C:\Users\Admin\AppData\Roaming\travessao\registrou" "C:\Users\Admin\AppData\Roaming\travessao\aconselhais.exe"
      2⤵
        PID:956
      • C:\Windows\System32\certutil.exe
        "C:\Windows\System32\certutil.exe" -decode -f "C:\Users\Admin\AppData\Roaming\travessao\doutro" "C:\Users\Admin\AppData\Roaming\travessao\espantou"
        2⤵
          PID:1640
        • C:\Users\Admin\AppData\Roaming\travessao\aconselhais.exe
          "C:\Users\Admin\AppData\Roaming\travessao\aconselhais.exe" "C:\Users\Admin\AppData\Roaming\travessao\espantou"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Accesses Microsoft Outlook profiles
          • NTFS ADS
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • outlook_office_path
          • outlook_win_path
          PID:268

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        858KB

        MD5

        c7719f774bb859240eb6dfa91a1f10be

        SHA1

        be1461e770333eb13e0fe66d378e3fac4f1112b5

        SHA256

        b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

        SHA512

        8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

        Download Submit

      • C:\Users\Admin\AppData\Roaming\travessao\aconselhais.exe
        Filesize

        925KB

        MD5

        0adb9b817f1df7807576c2d7068dd931

        SHA1

        4a1b94a9a5113106f40cd8ea724703734d15f118

        SHA256

        98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

        SHA512

        883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\travessao\aconselhais.exe
        Filesize

        925KB

        MD5

        0adb9b817f1df7807576c2d7068dd931

        SHA1

        4a1b94a9a5113106f40cd8ea724703734d15f118

        SHA256

        98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

        SHA512

        883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\travessao\doutro
        Filesize

        249KB

        MD5

        1b7aba48391f0c6bad5758c9680e0128

        SHA1

        96dec9950283fa002d24b79365be0e31cab4784e

        SHA256

        98584d7c7c2eb7de15bdc3e95160b52e26b528adaabf1829b15a97f8c5830cd8

        SHA512

        7f278d91374becae9b494e5b1d5b975d30e84a4731ae861970f0cd0bf0653a61f07cd2c2daff4e64210a5ebb7b025112f4700b7f3b65a73c501729df2c892268

        Download Submit

      • C:\Users\Admin\AppData\Roaming\travessao\espantou
        Filesize

        184KB

        MD5

        f92adc7a937b59f1d0e8f2d4077e061e

        SHA1

        e98a212b15ae0da42f11949c92c6608089c6178d

        SHA256

        748798fb76a7b331e0215ad511466448c9890432706b6c652f3ee577f278500e

        SHA512

        412f004e93b9773a450fd758709b903d39ab8a1655f2f4bbc2b5f7d09f2d1afa295f5de59b1c83c8f7c7fa767e35dfc65948c2a5f468efb71179f2491c89b0f4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\travessao\registrou
        Filesize

        1.2MB

        MD5

        1bb1f0b298d49268706daa4611a6e105

        SHA1

        19cc7dd4f57b36338f2beaf8044d198273fe0039

        SHA256

        2cb6b097df5c08e2798836aa48287c8ab77761a54b943194c4076f532eb5f658

        SHA512

        6d604100678388fd42e3ebed30fa93334defc5ff3c6a6b9b166310fc4b7220f751f822952edbf3af2d23dbfb87d5b0a5d3abd544556ccf38e8ef46dc144b161f

        Download Submit

      • \Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        858KB

        MD5

        c7719f774bb859240eb6dfa91a1f10be

        SHA1

        be1461e770333eb13e0fe66d378e3fac4f1112b5

        SHA256

        b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

        SHA512

        8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

        Download Submit

      • \Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        858KB

        MD5

        c7719f774bb859240eb6dfa91a1f10be

        SHA1

        be1461e770333eb13e0fe66d378e3fac4f1112b5

        SHA256

        b3ce811fb696b94f9117ee7fe725ae6b907d695636beceeb1672d5d5eeb81df4

        SHA512

        8a561e927a7a65f5211c76b488bed2a3cc0525ecd9775d25e1863b52ff532349c125b76a51eb63ea2e4479a567e8fac6b8ae38b7fd1970bad2556befe9e3b529

        Download Submit