Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

uk recipro...817.js

windows7-x64

3

uk recipro...817.js

windows10-2004-x64

7

Resubmissions

06/01/2023, 11:42

230106-nt1s8sfh54 3

21/12/2022, 12:32

221221-pq1jqsfd7v 7

Analysis

  • max time kernel
    114s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/12/2022, 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uk reciprocal tax agreement countries 25817.js

  • Size

    62KB

  • MD5

    39cc9421265174f16b3de95ef2060df9

  • SHA1

    99912d4b4a385bf6aa131419bfd3c4b4a2915dd7

  • SHA256

    b76481df9f0c8d5e00c2f6e2340c8d664adf127a9363aa4032c443d30cff60cd

  • SHA512

    3fd4a883506e46f8e4f657c3913e84c92518e3cc18f270704b3deb9cdefe5e6e8f25575e072e961cc73ba8546d0d429df43377662b145e1adb4ddad8782d67d4

  • SSDEEP

    768:vBrI+mKl5AmG25bNz9ZEG6U8RUDO4t+XiYoefmsTQvl:GQNz8GbPS4MOeLs

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\uk reciprocal tax agreement countries 25817.js"
    1⤵
      PID:1564
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B7E65110-1BEF-4276-99CF-168492037858} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE HIGHAN~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "HIGHAN~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERshELL.exe
            PoWERshELL
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:560

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\HIGHAN~1.JS
      Filesize

      45.8MB

      MD5

      56a8226113d383cd85c2ca5396d0c592

      SHA1

      7c432afe1a0151b5770185e09750eabb361e7101

      SHA256

      362bc75419b8421cad8e21582e4b9e041a9159dd4bf8bbbc7f85a1c7c310a28b

      SHA512

      b467dee81741a4ecee07213c59c39ee7593b260ff0cff5b40e0612f77a797230cd0b0a75e1fb42468d958ae0b4670ea54303efad097c122d701bb149717c0f23

      Download Submit

    • memory/560-58-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/560-59-0x000007FEF4070000-0x000007FEF4A93000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/560-61-0x0000000002B24000-0x0000000002B27000-memory.dmp

      Filesize

      12KB

      Download

    • memory/560-60-0x000007FEF3510000-0x000007FEF406D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/560-62-0x000000001B860000-0x000000001BB5F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/560-63-0x0000000002B2B000-0x0000000002B4A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/560-64-0x0000000002B24000-0x0000000002B27000-memory.dmp

      Filesize

      12KB

      Download