Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2022, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
Resource
win10v2004-20220901-en
General
-
Target
a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
-
Size
103KB
-
MD5
cca726890dc96c8e4c2e7a1046919673
-
SHA1
ea73666e4958ac826a40cff15897d7c3f57296dd
-
SHA256
a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203
-
SHA512
b9f3bf6baee1edd5ffa63c0b72e8f48d7104c22d80184e1fd0f718920fb5fdb1a6cb7bc24d365b3e7b159a2c01eae55e8c69f60d7133066d1c4b8f14c03b3082
-
SSDEEP
1536:Xz8n0APEJjnb32DAhUwAdwnk11/qCakPqldWHazCU0guDznDNOqFsp7wElusE:Xw0cElnZWGk11/3aOccHsCGEDLR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1976 javaw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4880 wrote to memory of 4356 4880 wscript.exe 84 PID 4880 wrote to memory of 4356 4880 wscript.exe 84 PID 4356 wrote to memory of 4840 4356 java.exe 87 PID 4356 wrote to memory of 4840 4356 java.exe 87 PID 4840 wrote to memory of 4492 4840 wscript.exe 88 PID 4840 wrote to memory of 4492 4840 wscript.exe 88 PID 4840 wrote to memory of 1976 4840 wscript.exe 89 PID 4840 wrote to memory of 1976 4840 wscript.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\bhyhnagjke.js3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js"4⤵PID:4492
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ujzxklve.txt"4⤵
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD528da5a77419e2ab27dd5f164b4b2c94a
SHA1e8233d17e728c92dd5213696c499d210a04a3875
SHA256704334895497a19ca9f5dadcd93fdeee4cdc1a1156d5df7f7f71f0dd2ad995a8
SHA512f6122deca1227ad18aff7b3d68f3b12723cea43a8cf9865ec9fa6e120ae0d6259ddefc675933a1ee1626aa23f4a69547f06f73ebfafeadcbb3a1c0fd8a7de855
-
Filesize
5KB
MD529d07d51b50bd02c9ea861947aef094e
SHA18c7644147a6ba7df15eafc5d9eb0af36d3a7c12a
SHA2568a36c228e4504ef2b5ad351c33b33dc16bc38928a76e080b1771cb8da3e98b8e
SHA5121e242e59575ba6d4c7a37fa392eecfd9b5320b459daf52296efc09db56423ff9131a376ed7060e5db6a550a5aa36a46bd87fc7d88acd55776a262d36feacdda2
-
Filesize
76KB
MD5732e9b52bc467471dd11ea19d53019f3
SHA189d460d4d681fc414251be91593b1ed8e4479e4a
SHA2563dfd620871224e7859cac24f9015ac113c71d565ff772e105b681faa56456367
SHA512e9d76a5fb509bbb4b089ba0bec09b072b2deaeef8d40a01bcb27a30fa78af5c6fa71e7e9b3fb4d3a15e7259ec30fb525dc867ce5a7550860eec10a1f28d7c4cf
-
Filesize
51KB
MD59a0bc9a1a7c150bf1be23681096dbf4d
SHA15caaaa9371e018dd2f3b6f2544e635d868bfe22f
SHA25650e23d069187744a2d3f5d1acfde6506d30e304f0f3d92c57efba9aa061de3a3
SHA5124de80535f01bdc4ddd74bdb584e388b6f8ff3d37c69229829bee084807244d14bd6a28a5fa46f5dcbde1094ba761509a7684039368a7dd0744ac8b2f6f375118
-
Filesize
117KB
MD594ca09268c0488ec944811dabb245c3f
SHA15ef967be13f98d14fa21eb75b9aec270e42565d8
SHA256a574ae4f26865b4b8756a7289692a240a2bde2a54170c8ed5ccbf1e1e1775a12
SHA5125ccf9930f61e3e03d8f89db72f3295053e378578bf4936c87d15f539ede204104cb56404f98fcaaa8838dd4973f425e34ef7f6a5b671a744aaba9b48a1de2ea2