Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 05:32
Static task
static1
Behavioral task
behavioral1
Sample
2a23d366eaa6cdcb72d415d1dc347578.vbs
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2a23d366eaa6cdcb72d415d1dc347578.vbs
Resource
win10v2004-20231215-en
General
-
Target
2a23d366eaa6cdcb72d415d1dc347578.vbs
-
Size
597B
-
MD5
2a23d366eaa6cdcb72d415d1dc347578
-
SHA1
edc65d2d2e185d348281b1063968aa460021bda9
-
SHA256
ad0e18f071961a8a2f6dcb45ce09ed10b7946e857acc2686d35ba8f260d33e3d
-
SHA512
845b40710820802f8a0ee5b6aa698d6248fd2d4a7bbc5907d459a9f1e9f037f9332b494b097deed06f4671148aa13f957b809e3607badd8dabd17a08f5f5d39f
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3660 shutdown.exe Token: SeRemoteShutdownPrivilege 3660 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 776 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2340 wrote to memory of 3040 2340 WScript.exe 93 PID 2340 wrote to memory of 3040 2340 WScript.exe 93 PID 3040 wrote to memory of 3660 3040 cmd.exe 95 PID 3040 wrote to memory of 3660 3040 cmd.exe 95
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a23d366eaa6cdcb72d415d1dc347578.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown -r -t 10 -c "½Ð¸ç£¬²»½Ð¸ç¾Í¹ØÄã»ú£¬²»ÐÅ£¬ÊÔÊÔ¡¤¡¤¡¤"2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\shutdown.exeshutdown -r -t 10 -c "½Ð¸ç£¬²»½Ð¸ç¾Í¹ØÄã»ú£¬²»ÐÅ£¬ÊÔÊÔ¡¤¡¤¡¤"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3997055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:776