Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
CanadaPost.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
CanadaPost.vbs
Resource
win10v2004-20240508-en
General
-
Target
CanadaPost.vbs
-
Size
992KB
-
MD5
96c5986b404a8c6e6de74d0cfb8378e3
-
SHA1
4d1da67b3435078a52b93fb152cd0fdeb961e9df
-
SHA256
09d140195418ed9897b3e54c59eb4f3a4b400d3334c59d5e531ae33e41cfd417
-
SHA512
c6177c267998a221a5b2216f88adc99e6f58bd14aef5aaadd2b3ad05a302112750fda3cd9031e523f31fbd1d7af5a09c3582787e43a2b2c2e00de39bb5e24ca3
-
SSDEEP
6144:bCJ1K7dEWn1Tm3dKRZObCHTiR5hejeGyWuMEV9ZOLEJ77DXWtE8dPbnsch48T88m:/MsFAAa4esRzuhX
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 3148 WScript.exe 10 3148 WScript.exe 13 3148 WScript.exe 14 3148 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ARSv5 = "C:\\Users\\Admin\\AppData\\Roaming\\jwNfQwRWXjqVQOaZcSYkamfRK.vbs" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ARSv5 = "C:\\Users\\Admin\\AppData\\Roaming\\jwNfQwRWXjqVQOaZcSYkamfRK.vbs" powershell.exe -
pid Process 4860 powershell.exe 384 powershell.exe 856 powershell.exe 3344 powershell.exe 1632 powershell.exe 5008 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 powershell.exe 4860 powershell.exe 384 powershell.exe 384 powershell.exe 856 powershell.exe 856 powershell.exe 3344 powershell.exe 3344 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4860 powershell.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4860 3148 WScript.exe 86 PID 3148 wrote to memory of 4860 3148 WScript.exe 86 PID 3148 wrote to memory of 384 3148 WScript.exe 88 PID 3148 wrote to memory of 384 3148 WScript.exe 88 PID 3148 wrote to memory of 856 3148 WScript.exe 91 PID 3148 wrote to memory of 856 3148 WScript.exe 91 PID 3148 wrote to memory of 3344 3148 WScript.exe 93 PID 3148 wrote to memory of 3344 3148 WScript.exe 93 PID 3148 wrote to memory of 1632 3148 WScript.exe 95 PID 3148 wrote to memory of 1632 3148 WScript.exe 95 PID 1632 wrote to memory of 5008 1632 powershell.exe 97 PID 1632 wrote to memory of 5008 1632 powershell.exe 97
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CanadaPost.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Copy-Item -Path "C:\Users\Admin\AppData\Local\Temp\CanadaPost.vbs" -Destination "C:\Users\Admin\AppData\Roaming\jwNfQwRWXjqVQOaZcSYkamfRK.vbs"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file "C:\Users\Admin\AppData\Roaming\9ZXSD69X1NMFTKPF9I5B0ZPOO.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command New-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name ARSv5 -PropertyType String -Value C:\Users\Admin\AppData\Roaming\jwNfQwRWXjqVQOaZcSYkamfRK.vbs2⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name ARSv5 -PropertyType String -Value C:\Users\Admin\AppData\Roaming\jwNfQwRWXjqVQOaZcSYkamfRK.vbs2⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file "C:\Users\Admin\AppData\Roaming\arsguarded.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file "C:\Users\Admin\AppData\Roaming\arsguarded.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5367b1c81198bfdcdba813c2c336627a3
SHA137fe6414eafaaed4abb91c1aafde62c5b688b711
SHA2561141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced
SHA512e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b
-
Filesize
1KB
MD54725b0a7fb8936b5dc7e17258640b730
SHA115ce498309e81e61167045dc5461311cee1a37e8
SHA256679695e9cce9b9348f537e4a5393c0c2f89896506234826c30bd08b600d630b9
SHA51233de39066d210f0c4fafa25350c6d839530fe0ca79a7a63e4592eb87f72fe260ffdf43f89a1adbcb2054bf378166d8825ec823c318d4d2af64e31cd1aff6f42f
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5169c9c7b67ebcb07c14f64f6f2e5352e
SHA1c255e575564b6b963aba03b4ae03a9addcfbc177
SHA256c6a718c05967e8afb26b7093debecba788986bacacbe6f8a1660ededcc85c6b1
SHA51269584d79bb9d8e92bc1024ada7a920511c4b8dd3a09f8d5b717b69863629c603da5acb1b56073daf667f52ffedc2b809f7b719fba8cd6900e688c47a72f26c7e
-
Filesize
874B
MD58753eddd386bc6f0a95c814d2d84a8d9
SHA16a00b8217a0f87e0dd56d1c0c1f72dcf2a6e14ab
SHA256682c5e9a2d08cb4679fdf63b387c0640f9ec7e5121a467c48d8db365873043c7
SHA512aeef2730cd9cf9413813682574fadcc31c22783aa3ace0163186d8746957fb329b17cb619c74b0ddd72cce4753f1ae199877ac248e0b3ea85795abd235c0f591
-
Filesize
429KB
MD568b4da093e862ffc4027d35e9620d32c
SHA1d8435d664f408bd40cffa29411a8ca262ea1502f
SHA256ca944183e4f037f1b87429ad4f4307296b34cd2dc715bc6584ef4029ef89c992
SHA5128afd1ddf67f07055320b924db7c5a73285e6a010906ca813b7515e41e3e2902094df45de8e708999ab3495caf933c9b7d4cc3e3370bbd05f5132b0f846980bd4