Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
PO.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO.js
Resource
win10v2004-20220812-en
General
-
Target
PO.js
-
Size
16KB
-
MD5
d9cf358d33e0b914b807f31d6c58c5a7
-
SHA1
8eea7bf764edac96eb2a06f3a7301f6cec2d2bb8
-
SHA256
29ef503bce31e24fa949e6eac1c068019b0ef4d4f9ce91af55acde6d06698541
-
SHA512
06802248fa1440aceb565efdad5ac752d6f2469add00a0e1decc3e398b53a2975f80b55924fe98402c0e3c2ca4850c842a77b1ba189ea0067934028a6e90f6a9
-
SSDEEP
192:BdmxVneKi3B7oB8AmIufpDU1qLyAFsagU13pR8UAEbfK+bE+1FauvG6JY46272ii:eViR0B81Is61aykvpRrK+bZR72twdu
Malware Config
Extracted
vjw0rm
http://212.193.30.230:6505
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 6 1648 wscript.exe 7 1584 wscript.exe 10 1648 wscript.exe 14 1648 wscript.exe 18 1648 wscript.exe 22 1648 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EUdyiwsLkK.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EUdyiwsLkK.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\2JZFR52JWJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1584 wrote to memory of 1648 1584 wscript.exe 26 PID 1584 wrote to memory of 1648 1584 wscript.exe 26 PID 1584 wrote to memory of 1648 1584 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EUdyiwsLkK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1648
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5fdb563c457afbde4219e1a83f742a8be
SHA18e217d47db9654e839273115479a2121745250a5
SHA256eedb0f6bd119171b632c131672eb59ac547464ddaf727a062af3c4b27edfbe49
SHA5120c8eacd5a8d82fe264a11611630211438ae3721f93a4610a530312d08ae7e87689527c82640a22b7287c2d38add261ed75c4fbcdb0e27f427726c920b623a81c