Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 05:32

General

  • Target

    2a23d366eaa6cdcb72d415d1dc347578.vbs

  • Size

    597B

  • MD5

    2a23d366eaa6cdcb72d415d1dc347578

  • SHA1

    edc65d2d2e185d348281b1063968aa460021bda9

  • SHA256

    ad0e18f071961a8a2f6dcb45ce09ed10b7946e857acc2686d35ba8f260d33e3d

  • SHA512

    845b40710820802f8a0ee5b6aa698d6248fd2d4a7bbc5907d459a9f1e9f037f9332b494b097deed06f4671148aa13f957b809e3607badd8dabd17a08f5f5d39f

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a23d366eaa6cdcb72d415d1dc347578.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c shutdown -r -t 10 -c "½Ð¸ç£¬²»½Ð¸ç¾Í¹ØÄã»ú£¬²»ÐÅ£¬ÊÔÊÔ¡¤¡¤¡¤"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\system32\shutdown.exe
        shutdown -r -t 10 -c "½Ð¸ç£¬²»½Ð¸ç¾Í¹ØÄã»ú£¬²»ÐÅ£¬ÊÔÊÔ¡¤¡¤¡¤"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3660
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3997055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads