Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
test.js
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
test.js
Resource
win10v2004-20240221-en
General
-
Target
test.js
-
Size
1.7MB
-
MD5
968ee3bb4dd8c643334ada06e3265c72
-
SHA1
b4e2438a08f1581e79435bc2b2a00d3c3c1271a7
-
SHA256
594b1e33e576cd7f28ed0bbeeb46ea16e80c1db7d1048e8a040abbfdb0e8467e
-
SHA512
51085e2ad98a44217a03aad7569e036c57d6cdb8243f30e1dcc6c7d3ea13da963f78744678cfbed25b544bdbf839e3347d601dfbfa5de90b62eaa46e3690990d
-
SSDEEP
12288:SeEYbhfw4Y/hz2z+FIE5AlQlDu90TsDJWx5u1xNydLpg8hC6gQl6GfwgqqQkv2Gq:Sefbhfj8SWHu1/wD5HroObm
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 31 632 powershell.exe 34 632 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation wscript.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 632 powershell.exe 632 powershell.exe 632 powershell.exe 632 powershell.exe 632 powershell.exe 632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 632 powershell.exe Token: SeIncreaseQuotaPrivilege 632 powershell.exe Token: SeSecurityPrivilege 632 powershell.exe Token: SeTakeOwnershipPrivilege 632 powershell.exe Token: SeLoadDriverPrivilege 632 powershell.exe Token: SeSystemProfilePrivilege 632 powershell.exe Token: SeSystemtimePrivilege 632 powershell.exe Token: SeProfSingleProcessPrivilege 632 powershell.exe Token: SeIncBasePriorityPrivilege 632 powershell.exe Token: SeCreatePagefilePrivilege 632 powershell.exe Token: SeBackupPrivilege 632 powershell.exe Token: SeRestorePrivilege 632 powershell.exe Token: SeShutdownPrivilege 632 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeSystemEnvironmentPrivilege 632 powershell.exe Token: SeRemoteShutdownPrivilege 632 powershell.exe Token: SeUndockPrivilege 632 powershell.exe Token: SeManageVolumePrivilege 632 powershell.exe Token: 33 632 powershell.exe Token: 34 632 powershell.exe Token: 35 632 powershell.exe Token: 36 632 powershell.exe Token: SeIncreaseQuotaPrivilege 632 powershell.exe Token: SeSecurityPrivilege 632 powershell.exe Token: SeTakeOwnershipPrivilege 632 powershell.exe Token: SeLoadDriverPrivilege 632 powershell.exe Token: SeSystemProfilePrivilege 632 powershell.exe Token: SeSystemtimePrivilege 632 powershell.exe Token: SeProfSingleProcessPrivilege 632 powershell.exe Token: SeIncBasePriorityPrivilege 632 powershell.exe Token: SeCreatePagefilePrivilege 632 powershell.exe Token: SeBackupPrivilege 632 powershell.exe Token: SeRestorePrivilege 632 powershell.exe Token: SeShutdownPrivilege 632 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeSystemEnvironmentPrivilege 632 powershell.exe Token: SeRemoteShutdownPrivilege 632 powershell.exe Token: SeUndockPrivilege 632 powershell.exe Token: SeManageVolumePrivilege 632 powershell.exe Token: 33 632 powershell.exe Token: 34 632 powershell.exe Token: 35 632 powershell.exe Token: 36 632 powershell.exe Token: SeIncreaseQuotaPrivilege 632 powershell.exe Token: SeSecurityPrivilege 632 powershell.exe Token: SeTakeOwnershipPrivilege 632 powershell.exe Token: SeLoadDriverPrivilege 632 powershell.exe Token: SeSystemProfilePrivilege 632 powershell.exe Token: SeSystemtimePrivilege 632 powershell.exe Token: SeProfSingleProcessPrivilege 632 powershell.exe Token: SeIncBasePriorityPrivilege 632 powershell.exe Token: SeCreatePagefilePrivilege 632 powershell.exe Token: SeBackupPrivilege 632 powershell.exe Token: SeRestorePrivilege 632 powershell.exe Token: SeShutdownPrivilege 632 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeSystemEnvironmentPrivilege 632 powershell.exe Token: SeRemoteShutdownPrivilege 632 powershell.exe Token: SeUndockPrivilege 632 powershell.exe Token: SeManageVolumePrivilege 632 powershell.exe Token: 33 632 powershell.exe Token: 34 632 powershell.exe Token: 35 632 powershell.exe Token: 36 632 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1000 wrote to memory of 1052 1000 wscript.EXE 91 PID 1000 wrote to memory of 1052 1000 wscript.EXE 91 PID 1052 wrote to memory of 632 1052 cscript.exe 93 PID 1052 wrote to memory of 632 1052 cscript.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\test.js1⤵PID:2968
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE SEMANT~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "SEMANT~1.JS"2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
34.3MB
MD556a922ddf944b911cce456da4336c1b6
SHA17e9fa06dcd87831a392ecd5773e671bd1c1a7688
SHA2561c1f8f49b1c0ed5f3aea916b9dca85c60998e5eb4c82ae62625018ad67d0f0fd
SHA512f7228b975b7815f7aa77b3859aefb5f71db294baccee80273670e5f264f6cc7c532f4a9bc36194175533615cd48a4ae24ea23ac75c587a9f377e44e20d7a31f8