Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
test.js
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
test.js
Resource
win10v2004-20240221-en
General
-
Target
test.js
-
Size
1.7MB
-
MD5
968ee3bb4dd8c643334ada06e3265c72
-
SHA1
b4e2438a08f1581e79435bc2b2a00d3c3c1271a7
-
SHA256
594b1e33e576cd7f28ed0bbeeb46ea16e80c1db7d1048e8a040abbfdb0e8467e
-
SHA512
51085e2ad98a44217a03aad7569e036c57d6cdb8243f30e1dcc6c7d3ea13da963f78744678cfbed25b544bdbf839e3347d601dfbfa5de90b62eaa46e3690990d
-
SSDEEP
12288:SeEYbhfw4Y/hz2z+FIE5AlQlDu90TsDJWx5u1xNydLpg8hC6gQl6GfwgqqQkv2Gq:Sefbhfj8SWHu1/wD5HroObm
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2412 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2792 2548 taskeng.exe 31 PID 2548 wrote to memory of 2792 2548 taskeng.exe 31 PID 2548 wrote to memory of 2792 2548 taskeng.exe 31 PID 2792 wrote to memory of 2416 2792 wscript.EXE 32 PID 2792 wrote to memory of 2416 2792 wscript.EXE 32 PID 2792 wrote to memory of 2416 2792 wscript.EXE 32 PID 2416 wrote to memory of 2412 2416 cscript.exe 34 PID 2416 wrote to memory of 2412 2416 cscript.exe 34 PID 2416 wrote to memory of 2412 2416 cscript.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\test.js1⤵PID:2908
-
C:\Windows\system32\taskeng.exetaskeng.exe {F6A19624-5B33-49F6-9FA2-9D952AD899E7} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE SEMANT~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "SEMANT~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40.5MB
MD5243a2eb026721630620da8359936ca6e
SHA1492b84b11ebf0aa8632db34737303a5009ca49a9
SHA25619278631931ffdd217c0ba9a33c1964fb8dbb9a7faf694302de19026e79ca141
SHA5123171bfd2af9a2976755b56fce04f0915b82d2dbf27918cd522e9ab9adc1a8caeec019bd1c637b7279f678bc50f44f062330e93e9960b4f73395269955a38aca1