Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

uk recipro...817.js

windows7-x64

3

uk recipro...817.js

windows10-2004-x64

7

Resubmissions

06/01/2023, 11:42

230106-nt1s8sfh54 3

21/12/2022, 12:32

221221-pq1jqsfd7v 7

Analysis

  • max time kernel
    199s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2022, 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uk reciprocal tax agreement countries 25817.js

  • Size

    62KB

  • MD5

    39cc9421265174f16b3de95ef2060df9

  • SHA1

    99912d4b4a385bf6aa131419bfd3c4b4a2915dd7

  • SHA256

    b76481df9f0c8d5e00c2f6e2340c8d664adf127a9363aa4032c443d30cff60cd

  • SHA512

    3fd4a883506e46f8e4f657c3913e84c92518e3cc18f270704b3deb9cdefe5e6e8f25575e072e961cc73ba8546d0d429df43377662b145e1adb4ddad8782d67d4

  • SSDEEP

    768:vBrI+mKl5AmG25bNz9ZEG6U8RUDO4t+XiYoefmsTQvl:GQNz8GbPS4MOeLs

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\uk reciprocal tax agreement countries 25817.js"
    1⤵
      PID:2912
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4488
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE HIGHAN~1.JS
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "HIGHAN~1.JS"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3148
          • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERshELL.exe
            PoWERshELL
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3584

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Adobe\HIGHAN~1.JS
        Filesize

        45.8MB

        MD5

        8030431485c63ad090b46f5b9adcfa7f

        SHA1

        45eba856f457f563ca7d33df609d2d424a7b75d1

        SHA256

        f7d7c549aca8e49461a8e847bc7fa050c5244c8c36c2052ed73c48d9bdc0ec4b

        SHA512

        e3d50f59568741802c1aacfae2ffc031653ba372e96e98235643cb0f68b3ce1081fed4917e02aa8431d01aac7b97726143a368be176ac3413f43fa03e772fac1

        Download Submit

      • memory/3584-135-0x0000020D50F80000-0x0000020D50FA2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3584-136-0x0000020D6AE90000-0x0000020D6AED4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3584-137-0x0000020D6AF60000-0x0000020D6AFD6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3584-138-0x00007FFF4AAA0000-0x00007FFF4B561000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3584-139-0x00007FFF4AAA0000-0x00007FFF4B561000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3584-140-0x0000020D694AA000-0x0000020D694AF000-memory.dmp

        Filesize

        20KB

        Download