Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
14/02/2024, 02:24
Static task
static1
Behavioral task
behavioral1
Sample
sconnect-host-v2.14.0.0.exe
Resource
win10-20231215-en
General
-
Target
sconnect-host-v2.14.0.0.exe
-
Size
237KB
-
MD5
2201bb83483e2df2185d227867bac104
-
SHA1
edd060a1cb3fb4481ec6f3d302ac561e049a0303
-
SHA256
9d0fa8c4b316efbdb4786984cbc3e847f0f3ba2cebe539c7619b504584410fab
-
SHA512
7d9ef83ad5a71c106e0b6a9da82d89cd134d891dec00075e4d449c9e739c12475e3b27dd91372cd7a0427b6c53175c971444557cb0857960de154d659531d7e8
-
SSDEEP
6144:DzZZcQEk0V72smCn5k6OGEjIeAmRDQO1Y7PQ:DzZSNkNsmmKG5mRDr1Y7I
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Loads dropped DLL 5 IoCs
pid Process 520 sconnect-host-v2.14.0.0.exe 520 sconnect-host-v2.14.0.0.exe 520 sconnect-host-v2.14.0.0.exe 520 sconnect-host-v2.14.0.0.exe 520 sconnect-host-v2.14.0.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
pid Process 5040 taskkill.exe 4552 taskkill.exe 4168 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 520 sconnect-host-v2.14.0.0.exe 520 sconnect-host-v2.14.0.0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5040 taskkill.exe Token: SeDebugPrivilege 4552 taskkill.exe Token: SeDebugPrivilege 4168 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 520 wrote to memory of 5040 520 sconnect-host-v2.14.0.0.exe 74 PID 520 wrote to memory of 5040 520 sconnect-host-v2.14.0.0.exe 74 PID 520 wrote to memory of 5040 520 sconnect-host-v2.14.0.0.exe 74 PID 520 wrote to memory of 4552 520 sconnect-host-v2.14.0.0.exe 77 PID 520 wrote to memory of 4552 520 sconnect-host-v2.14.0.0.exe 77 PID 520 wrote to memory of 4552 520 sconnect-host-v2.14.0.0.exe 77 PID 520 wrote to memory of 4168 520 sconnect-host-v2.14.0.0.exe 79 PID 520 wrote to memory of 4168 520 sconnect-host-v2.14.0.0.exe 79 PID 520 wrote to memory of 4168 520 sconnect-host-v2.14.0.0.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\sconnect-host-v2.14.0.0.exe"C:\Users\Admin\AppData\Local\Temp\sconnect-host-v2.14.0.0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM sconnect.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM sconnect.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM sconnect.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b4faf654de4284a89eaf7d073e4e1e63
SHA18efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388
-
Filesize
6KB
MD555317a22d09c800966cc2f45b82aa5a3
SHA1d2517addd8f970e1e42c3f0773a54247b041f208
SHA2567a920776397d079c2d4525e85bb32d47c2ca938d4bd01eaf4473d2ad89f09322
SHA51280498b2d4707d8bdcf03b25fba5e0f8f0296c36a0053ad0448e8732a77c7567225f59fc20cbd7049b00269ef02fe9c1c706cd1d1b5a741bf364e31e6f936166b