Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03/10/2023, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe
-
Size
1.9MB
-
MD5
3fd3a5baf7672d10cc88b3bf9f7c9c34
-
SHA1
2200831ca36c593ac1ab41d12a73ee879185b196
-
SHA256
3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786
-
SHA512
fabc2b8c84d6ecaaad118f7ad3178ce789b005b103d96f4489f28e25f03bf27433d9a89b022ff04e65a960b04fc552eaa3794db646bb8ced851859d7cd6a186b
-
SSDEEP
24576:p7mDJX49Dz+Hj77A0nygsz1bOR7bIK9PtoX9H8LRCef9g9j3:p/9Dz+HLtnMIR7/tdHi
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1988 set thread context of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29 PID 1988 wrote to memory of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29 PID 1988 wrote to memory of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29 PID 1988 wrote to memory of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29 PID 1988 wrote to memory of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29 PID 1988 wrote to memory of 2040 1988 3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe"C:\Users\Admin\AppData\Local\Temp\3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040
-