Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3cd73b4b96...a4.exe

windows7-x64

7

3cd73b4b96...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe

  • Size

    1.1MB

  • MD5

    886fb349bd176d1c19ea9634985fe839

  • SHA1

    f58323b6a60c2d165e3494240c3627b75240900f

  • SHA256

    3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4

  • SHA512

    026bedc0cd0ad1e916cff963b36a77d3f478c27125dcec69db89814b5bfbed667a5c8030d3232e0e1a9c82c45d00c2f556f5e233f257d39927077af1e1188ce5

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzMY

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe
    "C:\Users\Admin\AppData\Local\Temp\3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          PID:4892
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4768
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3372
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2368
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:5004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    bdff210bf33c9ed5f2b10773c8c98ff5

    SHA1

    fc4fbaca4c7f23506dc792dec89e640050ad62e9

    SHA256

    900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

    SHA512

    45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    64ad0131e0f02b61dc85ca2e6c677107

    SHA1

    14884ecbfc38c3f623fd1a0cb3a29aef0db1394a

    SHA256

    adb58aa95b354df179de125cae5931f6296eda2f2b3b37b67ad00c0be14fd05e

    SHA512

    045aca179a77d03380d3fe0e04661b95864cb0cdea5e020ca142f89be5432fd1ee6463b317a4f9e329578454441ce05876903fe5fca4a1abc4c3d431d0480a2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    3fe126921f6537cf36cd507b1649ffbb

    SHA1

    445c8796d072bb5829f0af8421e3eb7da34add70

    SHA256

    b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

    SHA512

    5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    1cc6f89f340afae6848a740d3c477514

    SHA1

    4841c62973e09b855756a1ab1ee526793f0388be

    SHA256

    3a04595b90c4ab059f79b783316cf9eb1125788a5782a8b1a256d2085e157b68

    SHA512

    a831f0731800b91e273f875656716f3e72f2ca3a4f2bf14b313be0a681a30012a46853586b2332cf3c9e96707bd311dd3567013aa51884270893bc8aac8e2a36

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    757810ef593d7e02ceb79595bfef26ba

    SHA1

    fdc3ee13d0da83244dca24c7c4505b117d974edb

    SHA256

    fc7c3c05b966bbe60d69982f1aff2fd648c79421b44a89f1d3197d17af6faa3f

    SHA512

    09109122ed5e6646b9687447648c9bd05ec8312d781113654467a4bec014ef6317cea8bff6c2a27f54101c3818cbea5d36be8795ad9f2d723e02bdcd037dbf7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    325994a25ebbb422c0fc3a153786bd76

    SHA1

    2f6897c549065d34c33326cbc008cdce279fe057

    SHA256

    30a2edd1fbce73913c9212b4c7a0ac0238abf31f04d4c4753176e63286ba5ca4

    SHA512

    e5e5a37c26e49cd192aa6042c5b9f063234594f2c82999a067b25e45fba607b6de24c252d118d732e034017df590e0e1bf0d0d8334858bc6fc5c29531b75942c

    Download Submit

  • memory/1852-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download