Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
79s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/03/2025, 16:26
Static task
static1
Behavioral task
behavioral1
Sample
GPOscript.rar
Resource
win11-20250313-en
General
-
Target
GPOscript.rar
-
Size
315KB
-
MD5
b8f11fd5f47feb29d3390fbcbfb8f8a8
-
SHA1
a7d1abebf611c6b1df507df045bc09d5defa2235
-
SHA256
a55a1fb322306d1e3052574c5539b2b4ac93a28f4baee165fcc7b0c5facc0d23
-
SHA512
786f36b09385845e43f38e036693bcef6b19aab6b8b9c453f011fd99dc97f2927fe67ffb44797f3f66c999ccf0f9a84c33f4e4f42f87a1cb97d069d174b7f57a
-
SSDEEP
6144:F9aQ54JfOXFCEI0mnidW/rnQJYbjNUTYjIVs2X4DDM0GojCkp+gdiCLa:m044VMKEjnFbj+TWIVs2IDWQhoCa
Malware Config
Signatures
-
Panda Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x001900000002b085-4.dat family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Pandastealer family
-
Executes dropped EXE 3 IoCs
pid Process 2812 script.exe 2280 script.exe 5952 script.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language script.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language script.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language script.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2812 script.exe 2812 script.exe 4300 7zFM.exe 4300 7zFM.exe 4300 7zFM.exe 4300 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4300 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 4300 7zFM.exe Token: 35 4300 7zFM.exe Token: SeSecurityPrivilege 4300 7zFM.exe Token: SeSecurityPrivilege 4300 7zFM.exe Token: SeSecurityPrivilege 4300 7zFM.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4300 7zFM.exe 4300 7zFM.exe 4300 7zFM.exe 4300 7zFM.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4300 wrote to memory of 2812 4300 7zFM.exe 82 PID 4300 wrote to memory of 2812 4300 7zFM.exe 82 PID 4300 wrote to memory of 2812 4300 7zFM.exe 82 PID 4300 wrote to memory of 2280 4300 7zFM.exe 85 PID 4300 wrote to memory of 2280 4300 7zFM.exe 85 PID 4300 wrote to memory of 2280 4300 7zFM.exe 85 PID 4300 wrote to memory of 5952 4300 7zFM.exe 86 PID 4300 wrote to memory of 5952 4300 7zFM.exe 86 PID 4300 wrote to memory of 5952 4300 7zFM.exe 86
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GPOscript.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\7zOCC08D5E7\script.exe"C:\Users\Admin\AppData\Local\Temp\7zOCC08D5E7\script.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\7zOCC0E30B7\script.exe"C:\Users\Admin\AppData\Local\Temp\7zOCC0E30B7\script.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\7zOCC057878\script.exe"C:\Users\Admin\AppData\Local\Temp\7zOCC057878\script.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
632KB
MD5699471c60523fd2c52d101f224651562
SHA1d3fc7aaf914e1f3e649ef9e547af5f21372ae724
SHA2560482414dd01db297c81e3ef661ff64320b37f3edd471c46935e51b32b806f335
SHA51272d04845c822c56aa31dfe5c7921ccc3c14b3ac8394b3f251898c0089a961383cb865086b3fad3536cd76ebb6e2edfd3ffef6d8083d92b9c6fd7e17eda9299de