Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2023, 04:56

General

  • Target

    b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe

  • Size

    1.1MB

  • MD5

    b8a5583e033a5078b919cd82115ed3bb

  • SHA1

    7f9307aa4c0e99204ca594e5b07dc11c4446d3a5

  • SHA256

    b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1

  • SHA512

    fb292aaf107894815dc5d2269a30d2de97aef7fcf297aa2050b641f1126f21c7fcfe1d9db5f9c6552edc6bf8ec2ffd03e8e98238ef32e98040cdea994be90241

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzM0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe
    "C:\Users\Admin\AppData\Local\Temp\b8742f158f278f110137656560770f386466b918d2872a33f705dc5067c79ee1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      PID:4628
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4056
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      PID:4420
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      PID:776
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3996
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3228
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    65ca1022405b04f52eb29a6097f80006

    SHA1

    2dd9e32a5b3f9a015de4ce648e8f5a1407d3ee65

    SHA256

    f47b488e1e7cc9fe469182d10b7b617af5ce3282ac08bdff5ca782f0bb82832c

    SHA512

    8681519920ceb3d776456cf45dba184b8254319a48b3a9bc8bef51ca0abf18f0e8dc080ad92023ea89593017ec6fbc321372d88b53d5d0af684331cae38710b2

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    30eafc82ac9962314c98d54ef2588957

    SHA1

    3bf1e1f24264448ba2688366b10b083c808e1e7a

    SHA256

    fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

    SHA512

    5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    30161f057bb781a559d721069a54b117

    SHA1

    e1d75badcf388cd15b5e004f8bc460086485375a

    SHA256

    2bc2291f993a32616702564a8784894109e7c7a0f802981f28c7fc0892f5eaf4

    SHA512

    90efb901a23fd542a8125c7899038d245e0057d0acfc37d45fa77d002ae6b948778f40bc89c637c7b61bf5a6440478fb6f65e28b065a8e16bb8a715ee915322b

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    a6f494ee87dd725c7bfd852399117f6e

    SHA1

    f2977982122ed82ac4806871e1ea6fa10304642e

    SHA256

    c48d6d77d130aa3fe4592e3b5ddfb103f938b92aac41afe579b2e559370d699f

    SHA512

    3382d2bd9cb20a913b28a3ae33db10537fdd0ba65dd3abe25d8e2744d137116dc2dce8b0905c1f1a7690ce5094bb13af4132d62e3b8419e9555cd497c8d43ed8

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    396KB

    MD5

    2e69e881320fa5313b677d8d5f21c5a5

    SHA1

    855348288c046b80aa7d3b6ddd4d5eec27c14a1d

    SHA256

    19845a4365af8b4d4aa1d1b314145debaaf4421c8275ceccdf1bc2346472e408

    SHA512

    e6a22e7e786863ebbf7e0989e171ebda0d4e1bd91efebcef22b4b8a1499b631b9b5f660573ff152f061022dae69575106351332b8a1987585bd1f567a2c10eca

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    108KB

    MD5

    9d991cdef63f774db01955496a740165

    SHA1

    df076e1cf03b89b04c87bb467975bb8beef8a3e9

    SHA256

    fd9b9140e5e7cabd8af450e597b04946a1e965c7b756b6330c192b57da4b5815

    SHA512

    fc4dba0092e742c56b135875f626e3902437e4906176e7af5517a2e5919b008a974fb788857f4324f3a8c580fc13017d939eafcd5f3d10f5c52bba51a6558fd8