Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    28s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/02/2024, 02:24

General

  • Target

    sconnect-host-v2.14.0.0.exe

  • Size

    237KB

  • MD5

    2201bb83483e2df2185d227867bac104

  • SHA1

    edd060a1cb3fb4481ec6f3d302ac561e049a0303

  • SHA256

    9d0fa8c4b316efbdb4786984cbc3e847f0f3ba2cebe539c7619b504584410fab

  • SHA512

    7d9ef83ad5a71c106e0b6a9da82d89cd134d891dec00075e4d449c9e739c12475e3b27dd91372cd7a0427b6c53175c971444557cb0857960de154d659531d7e8

  • SSDEEP

    6144:DzZZcQEk0V72smCn5k6OGEjIeAmRDQO1Y7PQ:DzZSNkNsmmKG5mRDr1Y7I

Score
4/10

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sconnect-host-v2.14.0.0.exe
    "C:\Users\Admin\AppData\Local\Temp\sconnect-host-v2.14.0.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM sconnect.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5040
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM sconnect.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4552
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM sconnect.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsk79B5.tmp\FindProcDLL.dll

    Filesize

    3KB

    MD5

    b4faf654de4284a89eaf7d073e4e1e63

    SHA1

    8efcfd1ca648e942cbffd27af429784b7fcf514b

    SHA256

    c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

    SHA512

    eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

  • \Users\Admin\AppData\Local\Temp\nsk79B5.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    55317a22d09c800966cc2f45b82aa5a3

    SHA1

    d2517addd8f970e1e42c3f0773a54247b041f208

    SHA256

    7a920776397d079c2d4525e85bb32d47c2ca938d4bd01eaf4473d2ad89f09322

    SHA512

    80498b2d4707d8bdcf03b25fba5e0f8f0296c36a0053ad0448e8732a77c7567225f59fc20cbd7049b00269ef02fe9c1c706cd1d1b5a741bf364e31e6f936166b