Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 06:16
Static task
static1
Behavioral task
behavioral1
Sample
update_task.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
update_task.vbs
Resource
win10v2004-20240508-en
General
-
Target
update_task.vbs
-
Size
630B
-
MD5
bfe9fe92e21ce31902de4ae152744674
-
SHA1
70ea30e26fd362dbb24c43a7bbc0d54bc00a6863
-
SHA256
afaeaeaf6c92fea88f20d826a28a0f2bb0124146c91b1f7877de4b89c4133b8f
-
SHA512
09120e6221f23573690760ce00696e7f21f0f6abed5d75fe4e08e0787efb96b7877b083538315f9e2c9087e189e92c8c98a0d516bfbe7aa1381347cc86cf0190
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2420 1952 WScript.exe 28 PID 1952 wrote to memory of 2420 1952 WScript.exe 28 PID 1952 wrote to memory of 2420 1952 WScript.exe 28 PID 1952 wrote to memory of 2116 1952 WScript.exe 30 PID 1952 wrote to memory of 2116 1952 WScript.exe 30 PID 1952 wrote to memory of 2116 1952 WScript.exe 30 PID 1952 wrote to memory of 2568 1952 WScript.exe 32 PID 1952 wrote to memory of 2568 1952 WScript.exe 32 PID 1952 wrote to memory of 2568 1952 WScript.exe 32 PID 1952 wrote to memory of 2672 1952 WScript.exe 34 PID 1952 wrote to memory of 2672 1952 WScript.exe 34 PID 1952 wrote to memory of 2672 1952 WScript.exe 34 PID 1952 wrote to memory of 2660 1952 WScript.exe 36 PID 1952 wrote to memory of 2660 1952 WScript.exe 36 PID 1952 wrote to memory of 2660 1952 WScript.exe 36 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2116 attrib.exe 2672 attrib.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update_task.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode .\e.txt .\PasswordSlip.exe2⤵PID:2420
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +h .\PasswordSlip.exe2⤵
- Views/modifies file attributes
PID:2116
-
-
C:\Windows\System32\expand.exe"C:\Windows\System32\expand.exe" C:\Windows\System32\notepad.exe .2⤵PID:2568
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +h .\notepad.exe2⤵
- Views/modifies file attributes
PID:2672
-
-
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p . /m notepad.exe /c .\PasswordSlip.exe2⤵PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8