Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Remittance Advice.vbs

windows7-x64

8

Remittance Advice.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remittance Advice.vbs

  • Size

    1.5MB

  • MD5

    6bd142a5c2cb38a2bcf50811b39a90cf

  • SHA1

    dc6311e5e2dc00c74d80c0cbe7287c5f206744ac

  • SHA256

    3f80d6ff7a276e68731118c6021ee6c5ac84ed0f2c4a7cf2031f549e2130df97

  • SHA512

    845fa1fdf22683e2d8b35b17622c914a75c94af5943ac2476288ea1b9368fe95bc75b38506f4145b32cdd5aab16532050db5a40af9cb73745398fc096acb1f35

  • SSDEEP

    24576:HE6rtaRsFIhaLFJfCF9MSStwCv7FaBb2PJUMKh3a+3PSCZhau5TqFOe1B:NwQC00BCy9zJY3z

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance Advice.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\x.exe
      "C:\Users\Admin\AppData\Local\Temp\x.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\x.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aeZVqqCgfhag.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aeZVqqCgfhag" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36F8.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2660
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
          PID:2560
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          3⤵
            PID:2620
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            3⤵
              PID:2996
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              3⤵
                PID:3000
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                3⤵
                  PID:2600

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp36F8.tmp
              Filesize

              1KB

              MD5

              da9c436ce608003848b77e9dc0a38c6e

              SHA1

              dbc4c61efd04e796646c57752ac905df521b9581

              SHA256

              8c8435f9ac6cff29385024bbcaecf87ca566a5c35c9caf24769c8a9e1de878c4

              SHA512

              94aafada351a46568b340cee33a5a162da0220b03543f770390162959ed0c5ecfe88e9fa471c6845c6bf7620a6f5f839ae7f7d68959b3f5e6ca01de6c862d2e7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\x.exe
              Filesize

              1.0MB

              MD5

              f50c076cefaf9217bff4c4f1aa50b50a

              SHA1

              d083846bbcfee5befaa9359193756d6037a454b0

              SHA256

              8da7bdec3fa3feb571d19c0c02bff613d09274113ce1211ece1405ee35d13b7b

              SHA512

              3bdebcfa15a09f59b4e5e7cd200f8a7c02fe9b0df65ba2ec599a1012b9045f89bc3c1ebc81e69f1b3f0d2777df4e7671572baab0030e8e5b89588f33b32e36fb

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              71e62a923393c2ab23ac717804b05a10

              SHA1

              6207b3c6aea6a0df1622e65b1111e9d1f3cccc46

              SHA256

              93fb721378430df6e801d073395a33c4d50409943c120c69209c3780ebe8f9bf

              SHA512

              03f1de8efd49c9e61d647aa0607d584f7d75e5d1c03c9ec6c1adaaafc0dccc2cb142a4d4bf7e22d4056a729becdc1d914517b300145984debe719c4742b00834

              Download Submit

            • memory/2456-6-0x000000007441E000-0x000000007441F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2456-7-0x0000000001320000-0x0000000001426000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2456-8-0x0000000074410000-0x0000000074AFE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2456-9-0x0000000000390000-0x00000000003A2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2456-10-0x000000007441E000-0x000000007441F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2456-11-0x0000000074410000-0x0000000074AFE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2456-12-0x00000000003E0000-0x00000000003F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2456-13-0x0000000004DD0000-0x0000000004E90000-memory.dmp

              Filesize

              768KB

              Download

            • memory/2456-26-0x0000000074410000-0x0000000074AFE000-memory.dmp

              Filesize

              6.9MB

              Download