Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
submitted
03/10/2024, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
Document-20-18-07.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Document-20-18-07.js
Resource
win10v2004-20240802-en
General
-
Target
Document-20-18-07.js
-
Size
339KB
-
MD5
75e64bec47916e4860cb6b151fcbaed6
-
SHA1
0102db540317b48d319cfb5b3538e364ff2bac6b
-
SHA256
0d9d65a1f9c447584a022a866fed2399bf8b42e2a0087a786e87087bba1e18f1
-
SHA512
208d0b1239c531d34f3bba59a950cf0b791e85870c6cc4512327733010e02fb4b932d98ff13d40cb758636453ad3bdc84509a1c0778facf47a56ecb79a8daee7
-
SSDEEP
6144:TnOwLgNJEXMI/ptQxobwi+a0xPr4fTpJ2Ll29NOzWC22hFMPPr6wWHclWErffr+:q6gNJEXhBtmobwi+bMT2LlKOztPFmGHd
Malware Config
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral2/memory/2476-58-0x0000000273F40000-0x0000000273F8A000-memory.dmp family_bruteratel behavioral2/memory/2476-59-0x0000000273F40000-0x0000000273F8A000-memory.dmp family_bruteratel behavioral2/memory/2476-75-0x0000000273F40000-0x0000000273F8A000-memory.dmp family_bruteratel -
Blocklisted process makes network request 64 IoCs
flow pid Process 4 3616 wscript.exe 6 3616 wscript.exe 8 3616 wscript.exe 13 452 msiexec.exe 29 2476 rundll32.exe 33 2476 rundll32.exe 35 2476 rundll32.exe 37 2476 rundll32.exe 38 2476 rundll32.exe 42 2476 rundll32.exe 43 2476 rundll32.exe 44 2476 rundll32.exe 45 2476 rundll32.exe 49 2476 rundll32.exe 50 2476 rundll32.exe 51 2476 rundll32.exe 52 2476 rundll32.exe 53 2476 rundll32.exe 54 2476 rundll32.exe 55 2476 rundll32.exe 56 2476 rundll32.exe 57 2476 rundll32.exe 58 2476 rundll32.exe 61 2476 rundll32.exe 62 2476 rundll32.exe 66 2476 rundll32.exe 68 2476 rundll32.exe 69 2476 rundll32.exe 70 2476 rundll32.exe 71 2476 rundll32.exe 74 2476 rundll32.exe 75 2476 rundll32.exe 79 2476 rundll32.exe 84 2476 rundll32.exe 87 2476 rundll32.exe 88 2476 rundll32.exe 91 2476 rundll32.exe 92 2476 rundll32.exe 93 2476 rundll32.exe 94 2476 rundll32.exe 95 2476 rundll32.exe 96 2476 rundll32.exe 97 2476 rundll32.exe 98 2476 rundll32.exe 99 2476 rundll32.exe 100 2476 rundll32.exe 101 2476 rundll32.exe 102 2476 rundll32.exe 103 2476 rundll32.exe 104 2476 rundll32.exe 105 2476 rundll32.exe 106 2476 rundll32.exe 107 2476 rundll32.exe 108 2476 rundll32.exe 109 2476 rundll32.exe 110 2476 rundll32.exe 111 2476 rundll32.exe 112 2476 rundll32.exe 113 2476 rundll32.exe 114 2476 rundll32.exe 115 2476 rundll32.exe 116 2476 rundll32.exe 117 2476 rundll32.exe 121 2476 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 1868 MSI9522.tmp -
Loads dropped DLL 6 IoCs
pid Process 1864 MsiExec.exe 1864 MsiExec.exe 1864 MsiExec.exe 1864 MsiExec.exe 4616 rundll32.exe 2476 rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9472.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI94B2.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI94E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9522.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8FBD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9348.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI94A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI9522.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 452 msiexec.exe 452 msiexec.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 3616 wscript.exe Token: SeIncreaseQuotaPrivilege 3616 wscript.exe Token: SeSecurityPrivilege 452 msiexec.exe Token: SeCreateTokenPrivilege 3616 wscript.exe Token: SeAssignPrimaryTokenPrivilege 3616 wscript.exe Token: SeLockMemoryPrivilege 3616 wscript.exe Token: SeIncreaseQuotaPrivilege 3616 wscript.exe Token: SeMachineAccountPrivilege 3616 wscript.exe Token: SeTcbPrivilege 3616 wscript.exe Token: SeSecurityPrivilege 3616 wscript.exe Token: SeTakeOwnershipPrivilege 3616 wscript.exe Token: SeLoadDriverPrivilege 3616 wscript.exe Token: SeSystemProfilePrivilege 3616 wscript.exe Token: SeSystemtimePrivilege 3616 wscript.exe Token: SeProfSingleProcessPrivilege 3616 wscript.exe Token: SeIncBasePriorityPrivilege 3616 wscript.exe Token: SeCreatePagefilePrivilege 3616 wscript.exe Token: SeCreatePermanentPrivilege 3616 wscript.exe Token: SeBackupPrivilege 3616 wscript.exe Token: SeRestorePrivilege 3616 wscript.exe Token: SeShutdownPrivilege 3616 wscript.exe Token: SeDebugPrivilege 3616 wscript.exe Token: SeAuditPrivilege 3616 wscript.exe Token: SeSystemEnvironmentPrivilege 3616 wscript.exe Token: SeChangeNotifyPrivilege 3616 wscript.exe Token: SeRemoteShutdownPrivilege 3616 wscript.exe Token: SeUndockPrivilege 3616 wscript.exe Token: SeSyncAgentPrivilege 3616 wscript.exe Token: SeEnableDelegationPrivilege 3616 wscript.exe Token: SeManageVolumePrivilege 3616 wscript.exe Token: SeImpersonatePrivilege 3616 wscript.exe Token: SeCreateGlobalPrivilege 3616 wscript.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe Token: SeRestorePrivilege 452 msiexec.exe Token: SeTakeOwnershipPrivilege 452 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 452 wrote to memory of 1864 452 msiexec.exe 84 PID 452 wrote to memory of 1864 452 msiexec.exe 84 PID 452 wrote to memory of 1864 452 msiexec.exe 84 PID 452 wrote to memory of 1868 452 msiexec.exe 85 PID 452 wrote to memory of 1868 452 msiexec.exe 85 PID 452 wrote to memory of 1868 452 msiexec.exe 85 PID 4616 wrote to memory of 2476 4616 rundll32.exe 87 PID 4616 wrote to memory of 2476 4616 rundll32.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Document-20-18-07.js1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 75DD54CC9E6A825B522C618AA73F84BC2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\Installer\MSI9522.tmp"C:\Windows\Installer\MSI9522.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57341a04b4468513d78d91c5690891459
SHA18ad0cd6e45feaabda06a80ec85b6993946584727
SHA256bc7d953100beda5b29e78d14eaf58e7b51fc58533062b0054526a214f166405d
SHA512ab865312b9e13a74467d67bebca64a1a59f75b8103792bd249482bb1ae72d0b9f4650d2e2dcaeb58868ce024380037f6c52d821741ebd90b23a0e37c88c199d7
-
Filesize
749KB
MD5b1ca25f5bb4edd293b3711c77eb99a6f
SHA1178bba8686ea329b884a652fe0f8a0ae0c53d367
SHA25697a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
SHA512d5a282a8f81e117b79616c44a260d89c7fee06f4ac1387675bc79c3bd7599a5d49fbe3d8fb3d4d42eea81a17564abc2d42288bc2dc468d1b16ed633ba421b32d
-
Filesize
1.6MB
MD53cb6b99b20930ac0dbadc10899dc511e
SHA1570c4ab78cf4bb22b78aac215a4a79189d4fa9ed
SHA256ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
SHA512aedf58ea01d59cce191cb9c0f83dbdbf7e3e8f049c764b577d6a957cb5229c50dda7ec6760ca43ad4dbdb085ae02b07bc818f69ca08373243019af6683e4931c
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04