Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/11/2022, 09:06
Static task
static1
Behavioral task
behavioral1
Sample
PO.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO.js
Resource
win10v2004-20220812-en
General
-
Target
PO.js
-
Size
5KB
-
MD5
2847ee58cb7ef2bc9d410ad73a15961f
-
SHA1
701a342c49ec6d2c802847157e6a68154168bbf8
-
SHA256
6b12cfb0d109c8944d64556320bb63e2b0a287b8583c16cc4eb3b32f86fe31c8
-
SHA512
3245868c4700d28843fc98e6e15eefc269da745b334bc3678f1710d1a7520305bfd5dc2c2cc87ebdd6e114f850eebcb69b55d3f2297d560b5d55621203ee78e6
-
SSDEEP
96:u9GyFqVgE4DBLSjsg2B7pikxVHFQba/40zpzw4wu+huzLsFZZRKC8CEsrYcshAiR:VuEgBOwZFiO+a/40zNw4wFSLYZRHEsrs
Malware Config
Extracted
vjw0rm
http://212.193.30.230:6505
Extracted
wshrat
http://212.193.30.230:3605
Signatures
-
WSHRAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000a00000000b52e-56.dat family_wshrat -
Blocklisted process makes network request 7 IoCs
flow pid Process 3 2012 wscript.exe 7 432 WScript.exe 8 432 WScript.exe 9 432 WScript.exe 10 432 WScript.exe 12 432 WScript.exe 13 432 WScript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K3VRVF5TEJ.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K3VRVF5TEJ.js WScript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\2JZFR52JWJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\K3VRVF5TEJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\K3VRVF5TEJ.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\K3VRVF5TEJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\K3VRVF5TEJ.js\"" WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 12 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 8 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 9 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 10 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2012 wrote to memory of 432 2012 wscript.exe 31 PID 2012 wrote to memory of 432 2012 wscript.exe 31 PID 2012 wrote to memory of 432 2012 wscript.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\K3VRVF5TEJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:432
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5f50524dfc4c60f0f399bb5c4a1572d18
SHA17ed8be558150cf1b979150c7ca6bf9278a96ff9d
SHA25610c880bf2129d24a52c3442cbd030787058cc4621197838ca7a4987be39c0fa7
SHA5127775792c92c180edb0d73455eb761c465fd90137345d61add9f8febbfe13903580b02589775849f422ffffe01076a53be4cdf01eaebc222ab1df6f3a5206fb14