Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2022, 09:06

General

  • Target

    PO.js

  • Size

    5KB

  • MD5

    2847ee58cb7ef2bc9d410ad73a15961f

  • SHA1

    701a342c49ec6d2c802847157e6a68154168bbf8

  • SHA256

    6b12cfb0d109c8944d64556320bb63e2b0a287b8583c16cc4eb3b32f86fe31c8

  • SHA512

    3245868c4700d28843fc98e6e15eefc269da745b334bc3678f1710d1a7520305bfd5dc2c2cc87ebdd6e114f850eebcb69b55d3f2297d560b5d55621203ee78e6

  • SSDEEP

    96:u9GyFqVgE4DBLSjsg2B7pikxVHFQba/40zpzw4wu+huzLsFZZRKC8CEsrYcshAiR:VuEgBOwZFiO+a/40zNw4wFSLYZRHEsrs

Malware Config

Extracted

Family

vjw0rm

C2

http://212.193.30.230:6505

Extracted

Family

wshrat

C2

http://212.193.30.230:3605

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • WSHRAT payload 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO.js
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\K3VRVF5TEJ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\K3VRVF5TEJ.js

    Filesize

    187KB

    MD5

    f50524dfc4c60f0f399bb5c4a1572d18

    SHA1

    7ed8be558150cf1b979150c7ca6bf9278a96ff9d

    SHA256

    10c880bf2129d24a52c3442cbd030787058cc4621197838ca7a4987be39c0fa7

    SHA512

    7775792c92c180edb0d73455eb761c465fd90137345d61add9f8febbfe13903580b02589775849f422ffffe01076a53be4cdf01eaebc222ab1df6f3a5206fb14

  • memory/2012-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

    Filesize

    8KB