Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27/09/2024, 19:20
General
-
Target
run.vbs
-
Size
1KB
-
MD5
52dd0a45a3abaf8dc585733e7f654648
-
SHA1
4081911ef9387b2b5eecaabe05e806d032137fc5
-
SHA256
2c4de5228f97d560ab2d045eef0c1b86ace78e9a024dab56712dff5987c5549b
-
SHA512
2dac2003dca661c7bbb2f7fd578d254eb74c6e6de62acee47865c3849839fa20bb4941eb105d8e5f456e48e8551116d430c0941a108fee5a7e9fc9f2ff237297
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"1⤵
- Checks computer location settings
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /f C:\Windows\System32\*.exe && icacls C:\Windows\System32\*.exe /grant everyone:(F)2⤵
- Modifies file permissions
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /f C:\* && icacls C:\* /grant everyone:(F)2⤵
- Modifies file permissions
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1