Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 11:13
Static task
static1
Behavioral task
behavioral1
Sample
file.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
file.vbs
Resource
win10v2004-20240508-en
General
-
Target
file.vbs
-
Size
257B
-
MD5
28b95d6abebeab4350a49d2001fb94da
-
SHA1
855b275019cf525292d250bbdafaf44be53cb9d6
-
SHA256
bfdee5c9ef2b8f526e703c231d7fad299efaf783357c33ee8428ff0db79e81c0
-
SHA512
217c341c3949002c3a63845540ea982a880d97bf0a5c56e44db637a53dbde333087c3892ad19da91495948b697da5570f97426ac98d125b6ec87b67200de5f6d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2980 wrote to memory of 4220 2980 WScript.exe 81 PID 2980 wrote to memory of 4220 2980 WScript.exe 81 PID 2980 wrote to memory of 3748 2980 WScript.exe 83 PID 2980 wrote to memory of 3748 2980 WScript.exe 83 PID 3748 wrote to memory of 2296 3748 cmd.exe 85 PID 3748 wrote to memory of 2296 3748 cmd.exe 85
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo x=msgbox("Your computer has been infected!", 16, "Virus Alert") > C:\Users\Admin\AppData\Local\Temp\virus.vbs2⤵PID:4220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\virus.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\virus.vbs"3⤵PID:2296
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD527bed2caaf350e764969b0f4a0b7122c
SHA179887878f5cd9445bd22808310815b5063fe418c
SHA25652fac398d5b66601f65dab0ed58b77dcf369c0726ae2d4a99993fc5a3f533bdb
SHA512b4dd82f5b037aa8492d26b7f8434742d045f73a25ccdba80c6b13c62fa320932c37af56d124ae28887767d9b604758ac6ccd2180dce702593e04c99f9b827275