Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/06/2023, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
docu_DF631_Jun_14_1.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
docu_DF631_Jun_14_1.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
docu_DF631_Jun_14_2.js
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
docu_DF631_Jun_14_2.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
docu_DF631_Jun_14_3.js
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
docu_DF631_Jun_14_3.js
Resource
win10v2004-20230221-en
General
-
Target
docu_DF631_Jun_14_3.js
-
Size
22KB
-
MD5
c6c69d731f0d8972ad9c949054fe3a61
-
SHA1
c5d8530883a26074eea3bcaee046930710b70c53
-
SHA256
b0deea498617139a91f4fa0c43645268d0cdb0e5e7c19f31957c4708b7675875
-
SHA512
57f4220019e12d21a95fa4d1fc35cba6cf2f034c4663959c6b6dccbab93c9f5fd75f634aa6ef9e72e5ac1b11d11e28c4789bcfc9b6ccc1c8eacdc5529217ad49
-
SSDEEP
384:IlxwNHnWmEwxhJyyzgZT7yOjOt4kmtd70Sft:IlxwtWpwM9yV2d
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 1692 wscript.exe 6 1692 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1044 1692 wscript.exe 30 PID 1692 wrote to memory of 1044 1692 wscript.exe 30 PID 1692 wrote to memory of 1044 1692 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\docu_DF631_Jun_14_3.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" rundll32.exe prism.tmp,must2⤵PID:1044
-