Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
7371063acbfacc81ffdeaeea7e75eb99.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7371063acbfacc81ffdeaeea7e75eb99.js
Resource
win10v2004-20231222-en
General
-
Target
7371063acbfacc81ffdeaeea7e75eb99.js
-
Size
201KB
-
MD5
7371063acbfacc81ffdeaeea7e75eb99
-
SHA1
28ee63662467f1ab7c682eec227b66db7ccadeca
-
SHA256
6915f06eb48cc9d71dbc136313c6a935b36844641f9b2ae1e85e08ccc74d8e73
-
SHA512
8b3bebb2cd6f97a49f98e3072393ea6ad2f46e0f4ba4a25b1293c10b1fe75e192800d6b47c60b03680934517e35d2dc6c4786f0122785675e1cc2e247fa292dd
-
SSDEEP
3072:g4XSfd1uBfPamtsz6VVKDllWtfjKNan1a4Bbn8PUyBJAN:ofPK1fVaWhONi1J78PMN
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNIsXqzyQf.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNIsXqzyQf.js WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\PNIsXqzyQf.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2692 2964 wscript.exe 28 PID 2964 wrote to memory of 2692 2964 wscript.exe 28 PID 2964 wrote to memory of 2692 2964 wscript.exe 28 PID 2964 wrote to memory of 2776 2964 wscript.exe 29 PID 2964 wrote to memory of 2776 2964 wscript.exe 29 PID 2964 wrote to memory of 2776 2964 wscript.exe 29
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7371063acbfacc81ffdeaeea7e75eb99.js1⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\PNIsXqzyQf.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:2692
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\swkitiig.txt"2⤵PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD593451bfa41b44af1f45d80b9feb2a73d
SHA1ea15542e8ebf859d751de6af1af3966d73a16f1a
SHA2569ee8fb95e2771cf84659aa10cfa773a90ba5d58b577f489ec808d6fce7fbd6cb
SHA512145be16dfce485c7c32077689c581e06f8bc1af9bc0f1e2fb8e02ddd7eafc11f5fa8a7a263e09bde4ee89d68bee4486cc8ccd939a15113b467ccadc42e4a1cbd
-
Filesize
92KB
MD506f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657