Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

test.js

windows7-x64

10

test.js

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.js

  • Size

    1.7MB

  • MD5

    968ee3bb4dd8c643334ada06e3265c72

  • SHA1

    b4e2438a08f1581e79435bc2b2a00d3c3c1271a7

  • SHA256

    594b1e33e576cd7f28ed0bbeeb46ea16e80c1db7d1048e8a040abbfdb0e8467e

  • SHA512

    51085e2ad98a44217a03aad7569e036c57d6cdb8243f30e1dcc6c7d3ea13da963f78744678cfbed25b544bdbf839e3347d601dfbfa5de90b62eaa46e3690990d

  • SSDEEP

    12288:SeEYbhfw4Y/hz2z+FIE5AlQlDu90TsDJWx5u1xNydLpg8hC6gQl6GfwgqqQkv2Gq:Sefbhfj8SWHu1/wD5HroObm

Score
10/10
gootloaderloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\test.js
    1⤵
      PID:2908
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {F6A19624-5B33-49F6-9FA2-9D952AD899E7} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE SEMANT~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "SEMANT~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\SEMANT~1.JS
      Filesize

      40.5MB

      MD5

      243a2eb026721630620da8359936ca6e

      SHA1

      492b84b11ebf0aa8632db34737303a5009ca49a9

      SHA256

      19278631931ffdd217c0ba9a33c1964fb8dbb9a7faf694302de19026e79ca141

      SHA512

      3171bfd2af9a2976755b56fce04f0915b82d2dbf27918cd522e9ab9adc1a8caeec019bd1c637b7279f678bc50f44f062330e93e9960b4f73395269955a38aca1

      Download Submit

    • memory/2412-9-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-8-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2412-7-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2412-10-0x0000000002770000-0x0000000002778000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2412-11-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2412-13-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-12-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-14-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-15-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2412-16-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-17-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-18-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2412-19-0x0000000002E00000-0x0000000002E80000-memory.dmp

      Filesize

      512KB

      Download