Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Essay on R...ms.vbs

windows7-x64

8

Essay on R...ms.vbs

windows10-1703-x64

8

Essay on R...ms.vbs

windows10-2004-x64

8

Essay on R...ms.vbs

windows11-21h2-x64

8

Resubmissions

20/04/2024, 06:42

240420-hgtw9sbe31 8

20/04/2024, 06:23

240420-g5gfeabc2y 8

Analysis

  • max time kernel
    241s
  • max time network
    275s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/04/2024, 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Essay on Resolution of Korean Forced Labor Claims.vbs

  • Size

    27KB

  • MD5

    75ec9f68a5b62705c115db5119a78134

  • SHA1

    6209f948992fd18d4fc6fc6f89d9815369ac8931

  • SHA256

    ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf

  • SHA512

    82a0d96640390b8ffdcecd34fc1ae1663c84a299448a5af02b24bf9b9e1fdd19954ceeeea555808a57fcdc452b2b6e598338f11bb0c7101b34934a8ec7bf1780

  • SSDEEP

    384:mrquVS33hr8nIsbSQVwooRmB7+shi14PdSkNk0dRL3K2fJ+QIHBR:mugSBrwIBQVwoI8dSMdBa2fGj

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Essay on Resolution of Korean Forced Labor Claims.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\explorer.exe
        explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
        3⤵
          PID:4544
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx
        2⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd42be3cb8,0x7ffd42be3cc8,0x7ffd42be3cd8
          3⤵
            PID:1372
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
            3⤵
              PID:764
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2092
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
              3⤵
                PID:4864
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                3⤵
                  PID:4172
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
                  3⤵
                    PID:3740
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
                    3⤵
                      PID:4348
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
                      3⤵
                        PID:4268
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3608
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
                        3⤵
                          PID:4596
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                          3⤵
                            PID:4736
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:992
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,14832185898251107777,5227339259610177367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3852 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1656
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2152
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2424

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            0fcda4fac8ec713700f95299a89bc126

                            SHA1

                            576a818957f882dc0b892a29da15c4bb71b93455

                            SHA256

                            f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

                            SHA512

                            ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            21986fa2280bae3957498a58adf62fc2

                            SHA1

                            d01ad69975b7dc46eba6806783450f987fa2b48d

                            SHA256

                            c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

                            SHA512

                            ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            498B

                            MD5

                            d9a4069147eda85efebb239ac0ab0b43

                            SHA1

                            5f2e5e906d980417b06c1eefd126e35d8b12e754

                            SHA256

                            08ae5ab00e602ebfb0fd533ea03eb337942df45fb05ab0e43d3dd7ecb665ba0c

                            SHA512

                            a5370396ecbedcce98a3e84af7332ce08d53ff83c0e97ae36ae9f2a98e504104f67208ce006580c2fd29754552b39d74b707b7426b7c88a176979c014b4ed24a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            76b480b2e0e3b42b456223b7a799a34a

                            SHA1

                            e9b776fe6f99f3c7bd7f08d0632bd44948ecd807

                            SHA256

                            a1992889c9c3d96da3e186d50c6b38e89e35420230f0244bd08987b73dcdf99b

                            SHA512

                            afe2c8f586de32b42c92fcfcccf40d21db7f617d6582de12cf6fc86214cce7a1312666958996d3202b15c50e0c6c6c8e1ae88048a8473e866dfbf5f65c6d4b91

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            10da995855ecdb5edbd4f16a477330ac

                            SHA1

                            378f7a7acaca3da56360719cbca6785f9c176b0c

                            SHA256

                            8b4d1eccdf2d5bc04657d5d6a7aac590dde924073076946b6fa25168f0244028

                            SHA512

                            a35078caac06185fdcc295eb6a2ce347ee14a53444a4e7363b6dd1cf9c1b71cf9c59b2dde4240ca74c860288042b969b99ece7ff02f4580d8306adee736dc6e1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            da7c30b2726c0316742a5836d5ce80b3

                            SHA1

                            1323123429abb0856675cce750b147e6c855c162

                            SHA256

                            71f575319e2e6289a4950d2655dfdf1bc3894a4627a998d13e529698c0df524c

                            SHA512

                            4965e873650d2d6fd16d21c34172144dd5dd69e4d145f3db38d7d56e9baeebe157f38980134cbd4006c0a1ca8f3c9a48817ea38bfe032fa0c2b883a6b31d4ee7

                            Download Submit