Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

9e9fb1553b...a8a.js

windows7-x64

3

9e9fb1553b...a8a.js

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e9fb1553b565387cf9f2477db8c566da1a865ecc1fd08329dd9d8141ec8ca8a.js

  • Size

    5.3MB

  • MD5

    b2ffa18d6a6bf9de5ccc65b8ffbeae72

  • SHA1

    b553680c5718fbfcb2ab72db5e19c7e378577130

  • SHA256

    9e9fb1553b565387cf9f2477db8c566da1a865ecc1fd08329dd9d8141ec8ca8a

  • SHA512

    0fba66e93610553df29da04ef2e171787815a8f3c0d6f4040140724a6319500c3cd10bd9cf0f4f646d4baca85dc7b7082d24367e5ff944efda8e184241d1e80d

  • SSDEEP

    49152:Gl3VnOgewfmWm/RD/s+LfHQPl3VnOgewfmWm/RD/s+LfHQPl3VnOgewfmWm/RD/N:GTBTBTBTk

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\9e9fb1553b565387cf9f2477db8c566da1a865ecc1fd08329dd9d8141ec8ca8a.js
    1⤵
      PID:2572
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {AD2D7D5C-AB79-4F96-906E-BFA4E6AC2EB1} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE OPTO-M~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "OPTO-M~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1416

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Media Center Programs\OPTO-M~1.JS
      Filesize

      39.3MB

      MD5

      b764aa0e75918269a27c915d638004e7

      SHA1

      2c932da446f6319f96d744255cfd8fa15e0853f5

      SHA256

      1a79bab5e2f28a10b616ddf4dc059145cf62f061b06c5d2cde5e99e0496ae531

      SHA512

      ae7e6fa53ed33345adbdabb8fcc04e4ebbbdcceb1879a84b355922908bcf7bff738390ae688819eeec40e9496b495931db8cf79840a13b01ff3b736c019f8b58

      Download Submit

    • memory/1416-7-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1416-8-0x00000000024E0000-0x00000000024E8000-memory.dmp

      Filesize

      32KB

      Download