Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
05/07/2023, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
6220_837_pdf.js
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
6220_837_pdf.js
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
6220_837_pdf.js
Resource
win10v2004-20230703-en
General
-
Target
6220_837_pdf.js
-
Size
320KB
-
MD5
8008857b28d94bb0df9b513906ed1508
-
SHA1
d88e06d7ace9289d09a652e294c0654cfd0b573d
-
SHA256
de98a33ed6bbd7f0d48346d4a55fb7519b9d6c5afa0e1b46e97c41d0a722fd47
-
SHA512
720f41be8cbd3545d54d4a307559a460e4b2da0a75dc48914f1bd6645911cfb9a0a95f493afdb91f825d8296d2d1d578750f414a31580851a2be0d8c5a15bacc
-
SSDEEP
1536:JAYMJMMPQXgBFhHZqOQYcEp24+zVevP5e+3kGra+TmarAYvJMMPQXgBFhHZrOQYW:RgBFhQOQY06TagBFhFOQY06T4
Malware Config
Extracted
http://cryptersandtools.minhacasa.tv/e/js_startup
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1260 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1260 powershell.exe 1260 powershell.exe 1260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1260 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1260 2220 wscript.exe 71 PID 2220 wrote to memory of 1260 2220 wscript.exe 71
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\6220_837_pdf.js1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionPolicy Bypass -File "C:\Users\Public\WnKdUR.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
471B
MD56e6269ed0b905042ee927c784c7a3942
SHA1a86e24af3b84a17e2fef61b80887d2fee82c9098
SHA256d0564475466126aca0b1ee5996fe2161becbe147406daeac12b6af3276a213ba
SHA5127c1c4b71f4cb1de86dcdbc94f78760d29bbdeb671efeca16abf114ebfa015f32951d58da6deec355fac30ddb4b601a1ed5e5e866379a97478f59767d56cf1ffd