Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
24/10/2023, 07:45
General
-
Target
Order_1000213789.PDF.js
-
Size
22KB
-
MD5
f82e5618177e656fb110dca5c85f8f6c
-
SHA1
23bd788c1ac23a348513aefb0dc2f6e39d1261d0
-
SHA256
95281ecb56d0fa65d5d46d6ee034e955c72413c7272d1634afbbb7211555bb91
-
SHA512
cb005091bdbd87277de40409c2be840abdfcc91019ef6d0fba5c522e7056155cae06302d4cc037a07f17cdc48bca1c3383c269510706386200892553d52ac7a7
-
SSDEEP
384:2QC2q9GT4Il9gHgLWViTwSqKTCsLzKc5YqPlkB+T6inMNcqyj8Wj4aKfC:e2LTz6V6q6CsLWcaqPl3WinM+qZE4aN
Malware Config
Extracted
vjw0rm
http://severdops.ddns.net:5050
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order_1000213789.PDF.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Order_1000213789.PDF.js2⤵
- Creates scheduled task(s)
-