Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c013cd0603...60.exe

windows7-x64

7

c013cd0603...60.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    128s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/04/2024, 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe

  • Size

    1.1MB

  • MD5

    4acd69ee204daeb9d798de8a184fbb0e

  • SHA1

    36f010700608ff701d76db6ce338e2d9158bd5bb

  • SHA256

    c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60

  • SHA512

    654265153c4aef0a6bc42a9796af41627fc22a99ad457479f8d81db25e534e99da0f63435bc77d670b09dbe01d61f4e5d703922b6ff19a57e00679e54505da3d

  • SSDEEP

    24576:aH0dl8myX9BBT2QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:aCaClSFlG4ZM7QzM2

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe
    "C:\Users\Admin\AppData\Local\Temp\c013cd06032da64dd47a420d0715d2b4aae285d75d577902ea778c1885123b60.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:3052
        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
          3⤵
            PID:2864
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            3⤵
            • Deletes itself
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2472

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
        Filesize

        753B

        MD5

        13f20ee00bff95601cd03d066ebea9f0

        SHA1

        619dfd028a7dd84c1363cab93417d7bf481315cd

        SHA256

        0d64337186891e1cbb0454631ac0f42c2a17159fa28c7f0790167a7fb58eca86

        SHA512

        d459981cc43ea8f36a04a5747791571731a8c1a127a5ce00b9b9732b3d91798124a025bc9c89b536f6c7fdff71ba7367364434472be6999623dded20dccc96d7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        Filesize

        1.1MB

        MD5

        ab2bee433cb9ac8b1acf4bf2745f1b8f

        SHA1

        846491aa237d676d626a53999b9741e112406cca

        SHA256

        6ff738c121e2af3b335d78edfb2584ae047a392dc90191fdabac3af597040831

        SHA512

        fe81c82c953214899f1c3c3ef89e52d9a5b27d59ade6b7466239b301436b376b9cf93b8f129ee4f2330a22ea344f8af50b9bb03424f2e98bcb60173407b5ebab

        Download Submit

      • memory/1624-0-0x0000000000400000-0x000000000055F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1624-11-0x0000000000400000-0x000000000055F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2472-18-0x0000000000400000-0x000000000055F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2920-15-0x0000000003C30000-0x0000000003D8F000-memory.dmp

        Filesize

        1.4MB

        Download