Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/01/2023, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
uk reciprocal tax agreement countries 25817.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
uk reciprocal tax agreement countries 25817.js
Resource
win10v2004-20220812-en
General
-
Target
uk reciprocal tax agreement countries 25817.js
-
Size
62KB
-
MD5
39cc9421265174f16b3de95ef2060df9
-
SHA1
99912d4b4a385bf6aa131419bfd3c4b4a2915dd7
-
SHA256
b76481df9f0c8d5e00c2f6e2340c8d664adf127a9363aa4032c443d30cff60cd
-
SHA512
3fd4a883506e46f8e4f657c3913e84c92518e3cc18f270704b3deb9cdefe5e6e8f25575e072e961cc73ba8546d0d429df43377662b145e1adb4ddad8782d67d4
-
SSDEEP
768:vBrI+mKl5AmG25bNz9ZEG6U8RUDO4t+XiYoefmsTQvl:GQNz8GbPS4MOeLs
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1708 PoWERshELL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1708 PoWERshELL.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 608 wrote to memory of 772 608 taskeng.exe 28 PID 608 wrote to memory of 772 608 taskeng.exe 28 PID 608 wrote to memory of 772 608 taskeng.exe 28 PID 772 wrote to memory of 520 772 wscript.EXE 29 PID 772 wrote to memory of 520 772 wscript.EXE 29 PID 772 wrote to memory of 520 772 wscript.EXE 29 PID 520 wrote to memory of 1708 520 cscript.exe 31 PID 520 wrote to memory of 1708 520 cscript.exe 31 PID 520 wrote to memory of 1708 520 cscript.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\uk reciprocal tax agreement countries 25817.js"1⤵PID:1544
-
C:\Windows\system32\taskeng.exetaskeng.exe {98ACF419-8387-4703-8D5F-0633471A5E51} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE HIGHAN~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "HIGHAN~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\System32\WindowsPowerShell\v1.0\PoWERshELL.exePoWERshELL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45.8MB
MD599c1091b0f82a8429a5590fe6a6fd1a4
SHA1ad1a75dc2970b7ead61142836f4ad137922088d0
SHA25686208c20411d353c4f5dab4fbe9db192e2dcbe12181917cc98644c3cb196c02d
SHA5129cd44f99b3fd152733134b21fd67eebba948dbe07bfdff50bb970351207f47d1e586ad71395f251bf78b6e45553ff26d5c0a9cbc993670185452f10149cb13f6