Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09/06/2023, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js
Resource
win10v2004-20230221-en
General
-
Target
734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js
-
Size
95.4MB
-
MD5
908c8875c901cb573703ee5ca873d559
-
SHA1
375c29372950e7ac683827c811b7bacdfbdc3882
-
SHA256
734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c
-
SHA512
df29cb9d8ac1fa6c4a88f166f62e59c2715c87221d19ec84786e219b6a98d9a5cf3ac277d0e2f0c6e8bdf6c355f314240c3911866ca3fda81cab27d0e7166ba8
-
SSDEEP
192:8ZVh7aiI1rk2H2ZSm35+vhOJzLq8MyOY:mVciI1S4YZPMVY
Malware Config
Extracted
vjw0rm
http://js8100.duckdns.org:8100
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1296 wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\2VHXHE600O = "\"C:\\Users\\Admin\\AppData\\Roaming\\734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1920 schtasks.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1296 wrote to memory of 1920 1296 wscript.exe 29 PID 1296 wrote to memory of 1920 1296 wscript.exe 29 PID 1296 wrote to memory of 1920 1296 wscript.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\734861f4226848bb53bcb7fbf84766128d04a251574ffe039f310050a2b8340c.vbs.js2⤵
- Creates scheduled task(s)
PID:1920
-