Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 23:39
Static task
static1
Behavioral task
behavioral1
Sample
Vencord.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Vencord.exe
Resource
win10v2004-20240508-en
General
-
Target
Vencord.exe
-
Size
172KB
-
MD5
77b96aa2d04a2a6d5150c045335715ee
-
SHA1
f24a994ac4f0d82fe06b521cd5380483da41f2e5
-
SHA256
edb0739d83f55658a9ccb25db70c525055d4951a211a322ac351e78db2768236
-
SHA512
b10c5193824d50b2067136667b9f161cb0f8a7731197f8df06508c76673806dbff790f5d15b448ce2f4befe82d06b14c64b4cf1c60ad83db8197565a1e34ccc4
-
SSDEEP
3072:vUeL2/0XLut44ZjWv815xxWTwGRBDaBRTbFNhc/W73cPXv2wJn9pZP:Me60but44Zx2VB4bJc/W73cPXv2wJn9D
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 660 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2880 scchost.exe 2724 scchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\scchost = "C:\\Users\\Admin\\AppData\\Roaming\\scchost.exe" Vencord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2016 timeout.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2396 Vencord.exe Token: SeDebugPrivilege 2396 Vencord.exe Token: SeDebugPrivilege 2880 scchost.exe Token: SeDebugPrivilege 2724 scchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2164 2396 Vencord.exe 28 PID 2396 wrote to memory of 2164 2396 Vencord.exe 28 PID 2396 wrote to memory of 2164 2396 Vencord.exe 28 PID 2688 wrote to memory of 2880 2688 taskeng.exe 31 PID 2688 wrote to memory of 2880 2688 taskeng.exe 31 PID 2688 wrote to memory of 2880 2688 taskeng.exe 31 PID 2688 wrote to memory of 2724 2688 taskeng.exe 35 PID 2688 wrote to memory of 2724 2688 taskeng.exe 35 PID 2688 wrote to memory of 2724 2688 taskeng.exe 35 PID 2396 wrote to memory of 1292 2396 Vencord.exe 36 PID 2396 wrote to memory of 1292 2396 Vencord.exe 36 PID 2396 wrote to memory of 1292 2396 Vencord.exe 36 PID 2396 wrote to memory of 660 2396 Vencord.exe 38 PID 2396 wrote to memory of 660 2396 Vencord.exe 38 PID 2396 wrote to memory of 660 2396 Vencord.exe 38 PID 660 wrote to memory of 2016 660 cmd.exe 40 PID 660 wrote to memory of 2016 660 cmd.exe 40 PID 660 wrote to memory of 2016 660 cmd.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vencord.exe"C:\Users\Admin\AppData\Local\Temp\Vencord.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scchost" /tr "C:\Users\Admin\AppData\Roaming\scchost.exe"2⤵
- Creates scheduled task(s)
PID:2164
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "scchost"2⤵PID:1292
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2127.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2016
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {364DD2E1-C565-407E-9E15-D6C0FE897639} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\scchost.exeC:\Users\Admin\AppData\Roaming\scchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Users\Admin\AppData\Roaming\scchost.exeC:\Users\Admin\AppData\Roaming\scchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD528a382e0f1137c82ee8f3ffc13def28b
SHA15988052d01e1d67eae712edbfbdf250bed16a1ce
SHA256120d1893ccc61a66c592808f13ab1601960e0e1473b142739d35ac6a37b8b7f3
SHA5129f315b0dd4e331af76e40384f352a42dd98d523802bebddc12a02f4694a47431dd2006ad04459841feb2161aa7732b86bad2c7c0021fd4074b4014d6ee0cc6c3
-
Filesize
172KB
MD577b96aa2d04a2a6d5150c045335715ee
SHA1f24a994ac4f0d82fe06b521cd5380483da41f2e5
SHA256edb0739d83f55658a9ccb25db70c525055d4951a211a322ac351e78db2768236
SHA512b10c5193824d50b2067136667b9f161cb0f8a7731197f8df06508c76673806dbff790f5d15b448ce2f4befe82d06b14c64b4cf1c60ad83db8197565a1e34ccc4