Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
e1fe4fbc351e87183a531bc2263a4d24.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e1fe4fbc351e87183a531bc2263a4d24.js
Resource
win10v2004-20240226-en
General
-
Target
e1fe4fbc351e87183a531bc2263a4d24.js
-
Size
16KB
-
MD5
e1fe4fbc351e87183a531bc2263a4d24
-
SHA1
cca28f37cd27838f83848bd719c5881da1063af7
-
SHA256
dca9742380d4dfe4f501f1f24e3b856113be1be99a1548e27117cc67bd997fb9
-
SHA512
5ec3eb28207223cca9c18f667a4ed90b077f21ba1e07c7adf54c69549e178a3131c28dce5ff6a54cdf25952fccfe5466cb9fb87bab4e97dd6246441d7a70dc6e
-
SSDEEP
384:xZTsZHapjsJXe2pTn1ZmF1qJtOSK6qEt5nYmrk56YjlBeqj3ieKzYF:ENapY9nDmF18tOp6J/EljVj3lRF
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 8 3528 wscript.exe 35 3528 wscript.exe 46 3528 wscript.exe 65 3528 wscript.exe 78 3528 wscript.exe 82 3528 wscript.exe 84 3528 wscript.exe 91 3528 wscript.exe 93 3528 wscript.exe 97 3528 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nopMjEzIbA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nopMjEzIbA.js wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\nopMjEzIbA.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3528 wrote to memory of 1484 3528 wscript.exe 86 PID 3528 wrote to memory of 1484 3528 wscript.exe 86
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\e1fe4fbc351e87183a531bc2263a4d24.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nopMjEzIbA.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:1484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5264923fdf0bb68453e75ec977797b941
SHA13d96a714f8221c5ea2ac915df442c1b22b0732ea
SHA256d53e232516a9e0b88c8e9f43f6850eb3010f1524c4eb92af501da252746f1d5d
SHA51273c7c582c22ba0afb4711978d558b685a1c4f4901b1cbbf9b80f88570edf0b537eeaa9354c41a2bc620395d6d254c03e043142ac2e3ca43c9d5104d18eee62f8