Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

06/01/2023, 11:42

230106-nt1s8sfh54 3

21/12/2022, 12:32

221221-pq1jqsfd7v 7

Analysis

  • max time kernel
    117s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2023, 11:42

General

  • Target

    uk reciprocal tax agreement countries 25817.js

  • Size

    62KB

  • MD5

    39cc9421265174f16b3de95ef2060df9

  • SHA1

    99912d4b4a385bf6aa131419bfd3c4b4a2915dd7

  • SHA256

    b76481df9f0c8d5e00c2f6e2340c8d664adf127a9363aa4032c443d30cff60cd

  • SHA512

    3fd4a883506e46f8e4f657c3913e84c92518e3cc18f270704b3deb9cdefe5e6e8f25575e072e961cc73ba8546d0d429df43377662b145e1adb4ddad8782d67d4

  • SSDEEP

    768:vBrI+mKl5AmG25bNz9ZEG6U8RUDO4t+XiYoefmsTQvl:GQNz8GbPS4MOeLs

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\uk reciprocal tax agreement countries 25817.js"
    1⤵
      PID:1544
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {98ACF419-8387-4703-8D5F-0633471A5E51} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE HIGHAN~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "HIGHAN~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERshELL.exe
            PoWERshELL
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1708

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\HIGHAN~1.JS

      Filesize

      45.8MB

      MD5

      99c1091b0f82a8429a5590fe6a6fd1a4

      SHA1

      ad1a75dc2970b7ead61142836f4ad137922088d0

      SHA256

      86208c20411d353c4f5dab4fbe9db192e2dcbe12181917cc98644c3cb196c02d

      SHA512

      9cd44f99b3fd152733134b21fd67eebba948dbe07bfdff50bb970351207f47d1e586ad71395f251bf78b6e45553ff26d5c0a9cbc993670185452f10149cb13f6

    • memory/1708-58-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

      Filesize

      8KB

    • memory/1708-59-0x000007FEF3FF0000-0x000007FEF4A13000-memory.dmp

      Filesize

      10.1MB

    • memory/1708-60-0x000007FEF3490000-0x000007FEF3FED000-memory.dmp

      Filesize

      11.4MB

    • memory/1708-61-0x0000000002434000-0x0000000002437000-memory.dmp

      Filesize

      12KB

    • memory/1708-62-0x000000000243B000-0x000000000245A000-memory.dmp

      Filesize

      124KB

    • memory/1708-63-0x0000000002434000-0x0000000002437000-memory.dmp

      Filesize

      12KB