Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
14/01/2023, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
water corporation enterprise agreement 2018 wa 15722.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
water corporation enterprise agreement 2018 wa 15722.js
Resource
win10v2004-20221111-en
General
-
Target
water corporation enterprise agreement 2018 wa 15722.js
-
Size
62KB
-
MD5
fbbd2ab87eb076d202e6bd929535c609
-
SHA1
b3627d701873263cf9a247e93dcbe5684ce65951
-
SHA256
d64d9cb448ff7dfea1e641471beae99893637de21f7801b2b45b1495b90b3088
-
SHA512
d7498b9ea9dd456ac49c074278a13257b74754ac074dbf49538e1177f8b864264a5872e0b948a3ad5578a39a0ee4cde99878e95c3c3e20ada2d6067982f36213
-
SSDEEP
768:v2ghJ5gba4sC/1a7Wuj2MgJlRhQMtUpoZEFNA/Ycik0aBZyxvDvl:/Aa4sFNK4MtA620y
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1640 poWERsHeLl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1640 poWERsHeLl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1016 wrote to memory of 1496 1016 taskeng.exe 29 PID 1016 wrote to memory of 1496 1016 taskeng.exe 29 PID 1016 wrote to memory of 1496 1016 taskeng.exe 29 PID 1496 wrote to memory of 760 1496 wscript.EXE 30 PID 1496 wrote to memory of 760 1496 wscript.EXE 30 PID 1496 wrote to memory of 760 1496 wscript.EXE 30 PID 760 wrote to memory of 1640 760 cscript.exe 32 PID 760 wrote to memory of 1640 760 cscript.exe 32 PID 760 wrote to memory of 1640 760 cscript.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\water corporation enterprise agreement 2018 wa 15722.js"1⤵PID:1476
-
C:\Windows\system32\taskeng.exetaskeng.exe {B8F99BC9-C18A-4716-88CA-55F867E9B3BC} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE BASEOF~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "BASEOF~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\poWERsHeLl.exepoWERsHeLl4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45.8MB
MD56737be198e60d008b9d6beb222088fc9
SHA1fd93f3742e50dfb5a3d600a61b6e87c0028cd8d9
SHA256ee085dde479b7a2b6148b2895551562bc182414da6d6b94bcbc81fe15e43a6f9
SHA51237eecf82c3d24849e4b34996e620bd293237a97db616061f4296238596597d0db7076757b091acf4b3e2065ee8d8deb0014e93f5c72719d28fbf1f52ca2ee0eb