Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
ProjectFunding_450726_Jun01.js
Resource
win7-20230220-en
windows7-x64
General
-
Target
ProjectFunding_450726_Jun01.js
-
Size
1KB
-
MD5
a657553449746c482dacfe3b19119b7a
-
SHA1
630b815d443f8f7ef7e4c4c7c100de1cd8a7ed53
-
SHA256
44e029dd6210c4906a82e1f16dd5ebed434efd225dafb92fc560e6ff6d1ee948
-
SHA512
dea33536a5c5fe279ca1a8a3d4639be0f49d5ca3c21f4cbbda10c5d059837c2bc4c3917cdbddd0fc9f4a0773f325369b200f0df8e0035da6afab26f09502c321
Malware Config
Extracted
qakbot
404.1346
obama266
1685611378
24.234.220.88:990
70.28.50.223:2078
96.56.197.26:2083
103.123.223.133:443
83.249.198.100:2222
199.27.66.213:443
90.104.151.37:2222
94.204.202.106:443
72.205.104.134:443
65.95.141.84:2222
82.131.141.209:443
77.126.99.230:443
71.38.155.217:443
205.237.67.69:995
84.215.202.8:443
24.234.220.88:465
76.178.148.107:2222
116.74.163.130:443
70.28.50.223:2087
147.147.30.126:2222
173.88.135.179:443
103.140.174.20:2222
77.86.98.236:443
92.149.250.113:2222
96.87.28.170:2222
86.168.210.41:443
176.142.207.63:443
12.172.173.82:32101
86.132.236.117:443
70.50.83.216:2222
161.142.103.187:995
45.62.70.33:443
12.172.173.82:465
178.175.187.254:443
83.110.223.61:443
105.184.209.194:995
41.186.88.38:443
102.156.10.183:443
27.109.19.90:2078
47.205.25.170:443
12.172.173.82:993
76.170.252.153:995
69.242.31.249:443
24.234.220.88:995
125.99.69.178:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
124.122.47.148:443
81.229.117.95:2222
98.145.23.67:443
114.143.176.236:443
103.144.201.48:2078
122.186.210.254:443
69.160.121.6:61201
12.172.173.82:21
72.253.126.216:443
75.109.111.89:443
76.86.31.59:443
116.120.145.170:995
12.172.173.82:50001
81.101.185.146:443
201.244.108.183:995
68.203.69.96:443
103.139.242.6:443
103.42.86.42:995
85.61.165.153:2222
76.16.49.134:443
125.99.76.102:443
184.182.66.109:443
70.28.50.223:32100
50.68.204.71:993
85.57.212.13:3389
41.227.190.59:443
70.28.50.223:3389
31.53.29.235:2222
89.79.229.50:443
50.68.186.195:443
47.199.241.39:443
93.147.235.8:443
75.141.227.169:443
45.243.142.31:995
79.92.15.6:443
85.104.105.67:443
89.129.109.27:2222
86.176.83.44:2222
24.234.220.88:993
89.32.156.5:995
12.172.173.82:22
103.101.203.177:443
70.28.50.223:2083
98.187.21.2:443
70.49.205.198:2222
96.56.197.26:2222
92.9.45.20:2222
86.195.14.72:2222
172.115.17.50:443
100.4.163.158:2222
80.12.88.148:2222
213.64.33.92:2222
113.11.92.30:443
78.192.109.105:2222
47.34.30.133:443
122.184.143.86:443
198.2.51.242:993
165.120.169.171:2222
88.126.94.4:50000
82.125.44.236:2222
117.195.17.148:993
147.219.4.194:443
80.167.196.79:443
92.154.17.149:2222
184.181.75.148:443
95.45.50.93:2222
84.35.26.14:995
201.143.215.69:443
12.172.173.82:2087
50.68.204.71:443
64.121.161.102:443
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1804 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 4692 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIFCB4.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE05E.tmp msiexec.exe File created C:\Windows\Installer\e57dfe2.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 msiexec.exe 1804 msiexec.exe 4692 rundll32.exe 4692 rundll32.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe 4928 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2036 wscript.exe Token: SeIncreaseQuotaPrivilege 2036 wscript.exe Token: SeSecurityPrivilege 1804 msiexec.exe Token: SeCreateTokenPrivilege 2036 wscript.exe Token: SeAssignPrimaryTokenPrivilege 2036 wscript.exe Token: SeLockMemoryPrivilege 2036 wscript.exe Token: SeIncreaseQuotaPrivilege 2036 wscript.exe Token: SeMachineAccountPrivilege 2036 wscript.exe Token: SeTcbPrivilege 2036 wscript.exe Token: SeSecurityPrivilege 2036 wscript.exe Token: SeTakeOwnershipPrivilege 2036 wscript.exe Token: SeLoadDriverPrivilege 2036 wscript.exe Token: SeSystemProfilePrivilege 2036 wscript.exe Token: SeSystemtimePrivilege 2036 wscript.exe Token: SeProfSingleProcessPrivilege 2036 wscript.exe Token: SeIncBasePriorityPrivilege 2036 wscript.exe Token: SeCreatePagefilePrivilege 2036 wscript.exe Token: SeCreatePermanentPrivilege 2036 wscript.exe Token: SeBackupPrivilege 2036 wscript.exe Token: SeRestorePrivilege 2036 wscript.exe Token: SeShutdownPrivilege 2036 wscript.exe Token: SeDebugPrivilege 2036 wscript.exe Token: SeAuditPrivilege 2036 wscript.exe Token: SeSystemEnvironmentPrivilege 2036 wscript.exe Token: SeChangeNotifyPrivilege 2036 wscript.exe Token: SeRemoteShutdownPrivilege 2036 wscript.exe Token: SeUndockPrivilege 2036 wscript.exe Token: SeSyncAgentPrivilege 2036 wscript.exe Token: SeEnableDelegationPrivilege 2036 wscript.exe Token: SeManageVolumePrivilege 2036 wscript.exe Token: SeImpersonatePrivilege 2036 wscript.exe Token: SeCreateGlobalPrivilege 2036 wscript.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeBackupPrivilege 2104 vssvc.exe Token: SeRestorePrivilege 2104 vssvc.exe Token: SeAuditPrivilege 2104 vssvc.exe Token: SeBackupPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe Token: SeTakeOwnershipPrivilege 1804 msiexec.exe Token: SeRestorePrivilege 1804 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2036 wscript.exe 2036 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1804 wrote to memory of 1236 1804 msiexec.exe 94 PID 1804 wrote to memory of 1236 1804 msiexec.exe 94 PID 1804 wrote to memory of 2288 1804 msiexec.exe 97 PID 1804 wrote to memory of 2288 1804 msiexec.exe 97 PID 1804 wrote to memory of 3576 1804 msiexec.exe 98 PID 1804 wrote to memory of 3576 1804 msiexec.exe 98 PID 2288 wrote to memory of 4692 2288 rundll32.exe 99 PID 2288 wrote to memory of 4692 2288 rundll32.exe 99 PID 2288 wrote to memory of 4692 2288 rundll32.exe 99 PID 4692 wrote to memory of 4928 4692 rundll32.exe 100 PID 4692 wrote to memory of 4928 4692 rundll32.exe 100 PID 4692 wrote to memory of 4928 4692 rundll32.exe 100 PID 4692 wrote to memory of 4928 4692 rundll32.exe 100 PID 4692 wrote to memory of 4928 4692 rundll32.exe 100 PID 4692 wrote to memory of 4928 4692 rundll32.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectFunding_450726_Jun01.js1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2036
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1236
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:3576
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD56f8cfe52124f47714b043d07e18e972c
SHA14ac0a41ae8c02759662821c73505095ae2b44475
SHA2564c3b9641b154c519922dbc9a4020aae89b8c8581d5185171f27cb1ccf2dce498
SHA512a60aeb6b3a69638f4fb5571167f5355680cfbc3f78b892c4089612c5887404c7cc8262ef4b30d8ad5fc763aceb13806247dc713b7ff521cefff3d50e6fe20dd2
-
Filesize
752KB
MD512b90779ae5dd6239f0cf41c1bc2a2d4
SHA1f3e00ea8a86ccdcd0a3d252e98f9e8e194052286
SHA256bf8b2a3b17dd1379f749d0b9b709bfce9774ccf889d490a46a97b76632ad8a2f
SHA5129bee8bea7f8941f40fa0ef8605fe942d91ae789059023b1fb5878457a7b317b916629a1c194a25f177530cbb677cf91fd946e94b067e245b847189984b4bc4bd
-
Filesize
752KB
MD512b90779ae5dd6239f0cf41c1bc2a2d4
SHA1f3e00ea8a86ccdcd0a3d252e98f9e8e194052286
SHA256bf8b2a3b17dd1379f749d0b9b709bfce9774ccf889d490a46a97b76632ad8a2f
SHA5129bee8bea7f8941f40fa0ef8605fe942d91ae789059023b1fb5878457a7b317b916629a1c194a25f177530cbb677cf91fd946e94b067e245b847189984b4bc4bd
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
404KB
MD59b06cae676c6086192a8ddd303332849
SHA1e50c2ee48427547edf22f247b0f16def69eb17d5
SHA256d0e8241fa1ea48137aa8683131042f92e4faf8621e02838a83d9fd8d07971d2d
SHA51240f486154f3b019450a95c41bd240b2fd34e7e3ce12e9dcb51695a8e69d2226c0ccae5d3cd1283ebb1e146fd374902867284def5b44e0f6d2e58b6d63f1406ca
-
Filesize
23.0MB
MD5131bb42b21e1b4a2aa4223c4d624a446
SHA12617269ddcee28a3ac7cae97389b9b9357d4d59d
SHA25638b78600cca710f164c9dc6828c8d8d4ed87cedac553e2d92da227920894ba49
SHA512f56e26f24362bf1900dad0280a791938c80094723357b717ddc29311038fed7c4485cdb9aedf1cb268e9f4cc1940c4df8acf57d232bd822620322d349baf6906
-
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{af993a4c-2f1f-4a5f-9aac-c1f32022f0de}_OnDiskSnapshotProp
Filesize5KB
MD5e7c286efa738a86ee4375c0da9b35f0a
SHA1c9a129218a2b71b78e5e6385ec0564b69bef3493
SHA256823bc43f8be14c7b046d51de2529c8d6741ec26e1a398195035f101fdf8d56b5
SHA5129787178ab9b0a715c4e888b0f6d965090d0db2be9c2ff0f1e31414af3c1f51c20e54f9bcc7c9e7423ea2ffb528b9f987b21f535c06a6420c02a1afd9b41ba806