Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2024, 02:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
5bf1a543796637bd57aed27f8fcf67e7.js
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5bf1a543796637bd57aed27f8fcf67e7.js
Resource
win10v2004-20231222-en
General
-
Target
5bf1a543796637bd57aed27f8fcf67e7.js
-
Size
52KB
-
MD5
5bf1a543796637bd57aed27f8fcf67e7
-
SHA1
ba263f1a5157a912e7a0984602ce910d97366b8b
-
SHA256
1e60267536edbee8cc12a8757fe147727bf4513b6e4ae7fb1329ccf95344933e
-
SHA512
6f0306906716f46a9fa82d3ee1876f36abbe999ba7fcfdc2cb27653cf902c59d2e83d7f010c261b836cff394770df4ac208d43ef709287f7701384c8874b245b
-
SSDEEP
768:M13RwPVMMh26+la3RnMf73Ibq5ajmsdPwieARXXRi1ClK6RJ+3l3lrIOwkxb:Q3RwpY6+la3BS7TypwZARnqcbOweb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BcZlevrPxo.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\take90.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\take90.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BcZlevrPxo.js wscript.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\take90 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\take90.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\take90 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\take90.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\BcZlevrPxo.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1500 wrote to memory of 4732 1500 wscript.exe 88 PID 1500 wrote to memory of 4732 1500 wscript.exe 88 PID 1500 wrote to memory of 4984 1500 wscript.exe 89 PID 1500 wrote to memory of 4984 1500 wscript.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\5bf1a543796637bd57aed27f8fcf67e7.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BcZlevrPxo.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:4732
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\take90.vbs"2⤵
- Drops startup file
- Adds Run key to start application
PID:4984
-
Network
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestdesireblex.ddns.netIN AResponsedesireblex.ddns.netIN A0.0.0.0
-
Remote address:8.8.8.8:53Request3.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request179.178.17.96.in-addr.arpaIN PTRResponse179.178.17.96.in-addr.arpaIN PTRa96-17-178-179deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request104.241.123.92.in-addr.arpaIN PTRResponse104.241.123.92.in-addr.arpaIN PTRa92-123-241-104deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request199.178.17.96.in-addr.arpaIN PTRResponse199.178.17.96.in-addr.arpaIN PTRa96-17-178-199deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request176.178.17.96.in-addr.arpaIN PTRResponse176.178.17.96.in-addr.arpaIN PTRa96-17-178-176deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request176.178.17.96.in-addr.arpaIN PTRResponse176.178.17.96.in-addr.arpaIN PTRa96-17-178-176deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Responsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301691_1QJ97KE46ORIIETXS&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301691_1QJ97KE46ORIIETXS&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 133232
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D9BE38BC60A845DCA7CD30F3B2F5DCE2 Ref B: LON04EDGE0606 Ref C: 2024-01-15T02:53:38Z
date: Mon, 15 Jan 2024 02:53:38 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301282_1QSYIXXV2WWSLPKD1&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301282_1QSYIXXV2WWSLPKD1&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388050_13LHMV8LNZUBG68MF&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239339388050_13LHMV8LNZUBG68MF&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN A
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Response
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestmyroyailrubin2019.duia.roIN AResponse
-
1.2kB 8.3kB 15 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4tls, http230.5kB 835.2kB 606 615
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301691_1QJ97KE46ORIIETXS&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301282_1QSYIXXV2WWSLPKD1&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388050_13LHMV8LNZUBG68MF&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&w=1920&h=1080&c=4HTTP Response
200 -
1.2kB 8.3kB 15 14
-
1.2kB 8.3kB 15 14
-
1.2kB 8.3kB 15 14
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
65 B 81 B 1 1
DNS Request
desireblex.ddns.net
DNS Response
0.0.0.0
-
71 B 157 B 1 1
DNS Request
3.181.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
179.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
73 B 139 B 1 1
DNS Request
104.241.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
119.110.54.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
72 B 137 B 1 1
DNS Request
199.178.17.96.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
144 B 274 B 2 2
DNS Request
176.178.17.96.in-addr.arpa
DNS Request
176.178.17.96.in-addr.arpa
-
142 B 314 B 2 2
DNS Request
205.47.74.20.in-addr.arpa
DNS Request
205.47.74.20.in-addr.arpa
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
144 B 158 B 2 1
DNS Request
11.227.111.52.in-addr.arpa
DNS Request
11.227.111.52.in-addr.arpa
-
71 B 127 B 1 1
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
62 B 346 B 1 2
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
DNS Response
204.79.197.20013.107.21.200
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
142 B 127 B 2 1
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
71 B 254 B 1 2
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
-
142 B 254 B 2 2
DNS Request
myroyailrubin2019.duia.ro
DNS Request
myroyailrubin2019.duia.ro
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5c144aabf6a599097eafe80ea421708d6
SHA16cafcd68e7cb5dee5ce8ca7a4b5be7762038cbcc
SHA256760ea4debdf2ab6968f0db5caa873f77375ed5614ff0107cd96f10de343240a2
SHA51282ee26896380705f419fc25fc65bc8b1124e433a869597340f6de20020ae8e2a54d98ad372a782f777dfab37cba33afb95be7db7e7e7cb32f690eff1cc591008
-
Filesize
10KB
MD5554108711a6d03fb0e8d99913f690006
SHA1c95410a0eb00465103036857bd09db3412e77ceb
SHA256d522485de782fb71950a600c1167dd0951514f62168d36434040f291ee072bb1
SHA512773ebda305c28e83127456d620a481f292898979c4792156f2f42b5fa033643e6a43de52f51b59414d7a807b1813998fff1e7beeb59f37cba6ec95c3956c425b