Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js
Resource
win10v2004-20240802-en
General
-
Target
0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js
-
Size
9.3MB
-
MD5
d7000b36225b7029ba2b4b60740509ce
-
SHA1
7d173ae7775b24be2f84047d0a6e15b3874878d0
-
SHA256
0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368
-
SHA512
1674e0c46b9e44e65eccdaa827ad7c4b8b8cdb95d7168c8639594b356ac84093656200edd9d4658269191369d8b583371792a0dd10fff8dc5d39d82a44bf201e
-
SSDEEP
49152:19y4nBjOwE9VTXa/s+LfHQI9y4nBjOwE9VTXa/s+LfHQI9y4nBjOwE9VTXa/s+L7:1DDDDDDt
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2500 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2072 3056 taskeng.exe 31 PID 3056 wrote to memory of 2072 3056 taskeng.exe 31 PID 3056 wrote to memory of 2072 3056 taskeng.exe 31 PID 2072 wrote to memory of 2612 2072 wscript.EXE 32 PID 2072 wrote to memory of 2612 2072 wscript.EXE 32 PID 2072 wrote to memory of 2612 2072 wscript.EXE 32 PID 2612 wrote to memory of 2500 2612 cscript.exe 34 PID 2612 wrote to memory of 2500 2612 cscript.exe 34 PID 2612 wrote to memory of 2500 2612 cscript.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\0c13ee253e4413e43fd053b49b014d30b66a921aa3dbaecfaa1797e3e0241368.js1⤵PID:2204
-
C:\Windows\system32\taskeng.exetaskeng.exe {1D20EA58-D081-4AC2-975D-799694544114} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE CURREN~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "CURREN~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40.0MB
MD55dc99b56dd713e59d79f2da034b940ac
SHA1dab70272c4ce07c588b4e2e70d6939e076de1537
SHA256b3a5017a48a87d524766f6fb2c0bd1d04e715ab8d718742cc088f1780147775f
SHA512ef311fdfd34b99038c6c70cc16937a66215db43919fed19a32dc3cb107b6d97424436c49801e171bf331747e8f16c051ecb7b68212609d6ce55eb2a59b2d227b