Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

when is a ...781.js

windows7-x64

3

when is a ...781.js

windows10-2004-x64

7

Analysis

  • max time kernel
    126s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2023, 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    when is a d&f for contract type required 30781.js

  • Size

    564KB

  • MD5

    e578abaa9a94fd9665f84c2b8360fda1

  • SHA1

    32675b30e0f5a18bc8b6e120b2211ac53cc35e75

  • SHA256

    1469dc7b039809dde24a5894170185e73a5969a55a84872f185aac6265f2b9d2

  • SHA512

    163b51e45082a8b258f7f99a51ca50fed139916411c5b83d8c7abe5d17ac4694b4c490eb6bb9fa1b538edc7eb704ab238d6b583b92606acf1739407581af1e60

  • SSDEEP

    12288:d69oRzp+By2ex3ERhTiWUOrD2lKyrCvSkdJyi0j9nsDvV101d1eo4kwx9LVGyniH:B/yy2e6V2ai3KAL5rPzy9maM3

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\when is a d&f for contract type required 30781.js"
    1⤵
      PID:1556
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {0CEC13E7-11F4-42FA-9B99-98634D466EE1} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE FINANC~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "FINANC~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Windows\System32\WindowsPowerShell\v1.0\POwerShelL.exe
            POwerShelL
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:364

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Media Center Programs\FINANC~1.JS
      Filesize

      47.7MB

      MD5

      35ecbbb1c4c4280e74625d55b1d39c59

      SHA1

      990a3b50a20ab2f246fde1b1cd8ec36cf709139f

      SHA256

      5cd80596de95375c6d69087a7eb8bdf5d900689399878e8f12a0e7407242215d

      SHA512

      736d99dcd11a3cc9e19294b256173946ab2b18c89a9b1b5bca58b4f7f3dc159fbc2b761939fcb5566ddb1b97351d85a1b25204e80511f97ef3f773617e059827

      Download Submit

    • memory/364-61-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/364-62-0x0000000002390000-0x0000000002398000-memory.dmp

      Filesize

      32KB

      Download

    • memory/364-63-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-64-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-65-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-66-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-67-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-68-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-69-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download

    • memory/364-70-0x00000000024C0000-0x0000000002540000-memory.dmp

      Filesize

      512KB

      Download