Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 11:57

General

  • Target

    0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js

  • Size

    9.3MB

  • MD5

    d7000b36225b7029ba2b4b60740509ce

  • SHA1

    7d173ae7775b24be2f84047d0a6e15b3874878d0

  • SHA256

    0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368

  • SHA512

    1674e0c46b9e44e65eccdaa827ad7c4b8b8cdb95d7168c8639594b356ac84093656200edd9d4658269191369d8b583371792a0dd10fff8dc5d39d82a44bf201e

  • SSDEEP

    49152:19y4nBjOwE9VTXa/s+LfHQI9y4nBjOwE9VTXa/s+LfHQI9y4nBjOwE9VTXa/s+L7:1DDDDDDt

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js
    1⤵
      PID:2204
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {1D20EA58-D081-4AC2-975D-799694544114} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE CURREN~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "CURREN~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Media Center Programs\CURREN~1.JS

      Filesize

      40.0MB

      MD5

      5dc99b56dd713e59d79f2da034b940ac

      SHA1

      dab70272c4ce07c588b4e2e70d6939e076de1537

      SHA256

      b3a5017a48a87d524766f6fb2c0bd1d04e715ab8d718742cc088f1780147775f

      SHA512

      ef311fdfd34b99038c6c70cc16937a66215db43919fed19a32dc3cb107b6d97424436c49801e171bf331747e8f16c051ecb7b68212609d6ce55eb2a59b2d227b

    • memory/2500-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

      Filesize

      2.9MB

    • memory/2500-8-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

      Filesize

      32KB