Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Vencord.exe

windows7-x64

7

Vencord.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vencord.exe

  • Size

    172KB

  • MD5

    77b96aa2d04a2a6d5150c045335715ee

  • SHA1

    f24a994ac4f0d82fe06b521cd5380483da41f2e5

  • SHA256

    edb0739d83f55658a9ccb25db70c525055d4951a211a322ac351e78db2768236

  • SHA512

    b10c5193824d50b2067136667b9f161cb0f8a7731197f8df06508c76673806dbff790f5d15b448ce2f4befe82d06b14c64b4cf1c60ad83db8197565a1e34ccc4

  • SSDEEP

    3072:vUeL2/0XLut44ZjWv815xxWTwGRBDaBRTbFNhc/W73cPXv2wJn9pZP:Me60but44Zx2VB4bJc/W73cPXv2wJn9D

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vencord.exe
    "C:\Users\Admin\AppData\Local\Temp\Vencord.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scchost" /tr "C:\Users\Admin\AppData\Roaming\scchost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2164
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "scchost"
      2⤵
        PID:1292
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2127.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:660
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2016
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {364DD2E1-C565-407E-9E15-D6C0FE897639} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Users\Admin\AppData\Roaming\scchost.exe
        C:\Users\Admin\AppData\Roaming\scchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Users\Admin\AppData\Roaming\scchost.exe
        C:\Users\Admin\AppData\Roaming\scchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2127.tmp.bat
      Filesize

      159B

      MD5

      28a382e0f1137c82ee8f3ffc13def28b

      SHA1

      5988052d01e1d67eae712edbfbdf250bed16a1ce

      SHA256

      120d1893ccc61a66c592808f13ab1601960e0e1473b142739d35ac6a37b8b7f3

      SHA512

      9f315b0dd4e331af76e40384f352a42dd98d523802bebddc12a02f4694a47431dd2006ad04459841feb2161aa7732b86bad2c7c0021fd4074b4014d6ee0cc6c3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\scchost.exe
      Filesize

      172KB

      MD5

      77b96aa2d04a2a6d5150c045335715ee

      SHA1

      f24a994ac4f0d82fe06b521cd5380483da41f2e5

      SHA256

      edb0739d83f55658a9ccb25db70c525055d4951a211a322ac351e78db2768236

      SHA512

      b10c5193824d50b2067136667b9f161cb0f8a7731197f8df06508c76673806dbff790f5d15b448ce2f4befe82d06b14c64b4cf1c60ad83db8197565a1e34ccc4

      Download Submit

    • memory/2396-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2396-1-0x0000000000F10000-0x0000000000F44000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2396-2-0x0000000000250000-0x0000000000256000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2396-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2396-5-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2396-6-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2396-21-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2724-12-0x0000000000990000-0x00000000009C4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2880-10-0x0000000000350000-0x0000000000384000-memory.dmp

      Filesize

      208KB

      Download