Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/04/2023, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
Resource
win10v2004-20230220-en
General
-
Target
ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js
-
Size
3.5MB
-
MD5
0c39ad338f05da2c25ce56b23531f1f3
-
SHA1
a51227fa9755cf0bd5c3660d016bdd871e500e7f
-
SHA256
ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400
-
SHA512
c7074aeeb63472cb6b2f1be1f61221c683908c7f3f7d6348b345db398ed52558b1ad9b65b3097e43d79561818c8b98ea2a60679bfd7457b149877b53025c0d2f
-
SSDEEP
24576:ejGw6bEVDPNoa+w7jOvCjAjODdJkEQTDTPmhH3NqEL8qELFiiKNpO28wb0XHpJh6:uNrsHo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1276 Payloa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1276 Payloa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1276 Payloa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 864 wrote to memory of 1276 864 wscript.exe 28 PID 864 wrote to memory of 1276 864 wscript.exe 28 PID 864 wrote to memory of 1276 864 wscript.exe 28 PID 864 wrote to memory of 1276 864 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ec04a1d07720f0c856844906b040d3876a7801f90640c15fa23aa4e3001ed400.js1⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Roaming\Payloa.exe"C:\Users\Admin\AppData\Roaming\Payloa.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
825KB
MD5b178c0250cc3f84a8101eb263c52d716
SHA10bcb484264be368704de6028040a7552ebaf9a46
SHA256aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99
SHA5120927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1
-
Filesize
825KB
MD5b178c0250cc3f84a8101eb263c52d716
SHA10bcb484264be368704de6028040a7552ebaf9a46
SHA256aa2359fab304db99e520d8f343c579886debe677003f04695db008e3f2c90f99
SHA5120927124a400b321d166a9122521760d2f922aaaff38d42e7d9e975d6ff6ddcc47038c4eea9e19a0a909d5d5cab1bed1a36fa2294c1175ee492250f19868dfda1