Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Vencord.exe

windows7-x64

7

Vencord.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    138s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vencord.exe

  • Size

    172KB

  • MD5

    77b96aa2d04a2a6d5150c045335715ee

  • SHA1

    f24a994ac4f0d82fe06b521cd5380483da41f2e5

  • SHA256

    edb0739d83f55658a9ccb25db70c525055d4951a211a322ac351e78db2768236

  • SHA512

    b10c5193824d50b2067136667b9f161cb0f8a7731197f8df06508c76673806dbff790f5d15b448ce2f4befe82d06b14c64b4cf1c60ad83db8197565a1e34ccc4

  • SSDEEP

    3072:vUeL2/0XLut44ZjWv815xxWTwGRBDaBRTbFNhc/W73cPXv2wJn9pZP:Me60but44Zx2VB4bJc/W73cPXv2wJn9D

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vencord.exe
    "C:\Users\Admin\AppData\Local\Temp\Vencord.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scchost" /tr "C:\Users\Admin\AppData\Roaming\scchost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3204
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "scchost"
      2⤵
        PID:116
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp836F.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:4288
    • C:\Users\Admin\AppData\Roaming\scchost.exe
      C:\Users\Admin\AppData\Roaming\scchost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3260
    • C:\Users\Admin\AppData\Roaming\scchost.exe
      C:\Users\Admin\AppData\Roaming\scchost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scchost.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp836F.tmp.bat
      Filesize

      159B

      MD5

      9746635d1a0b3b60a278a0bee7574cee

      SHA1

      58b046e2f87570473a963f19044c4dc860e37f3e

      SHA256

      abaf611ff5821e6bdc57557bc9152c48876a45ad93f97829e5162870cc4388e5

      SHA512

      2a5c032834d2a1d6e04cba1221f98aeac19d8707901ada3bad9802e09cab19a91b3218483c3d74b7308b9bd1cab4adc604678bb89f9392d6cf29dd99c6c704c0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\scchost.exe
      Filesize

      172KB

      MD5

      77b96aa2d04a2a6d5150c045335715ee

      SHA1

      f24a994ac4f0d82fe06b521cd5380483da41f2e5

      SHA256

      edb0739d83f55658a9ccb25db70c525055d4951a211a322ac351e78db2768236

      SHA512

      b10c5193824d50b2067136667b9f161cb0f8a7731197f8df06508c76673806dbff790f5d15b448ce2f4befe82d06b14c64b4cf1c60ad83db8197565a1e34ccc4

      Download Submit

    • memory/3260-12-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3260-9-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3260-10-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3496-5-0x00007FFA85653000-0x00007FFA85655000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3496-6-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3496-3-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3496-0-0x00007FFA85653000-0x00007FFA85655000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3496-2-0x0000000001200000-0x0000000001206000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3496-18-0x00007FFA85650000-0x00007FFA86111000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3496-1-0x0000000000A20000-0x0000000000A54000-memory.dmp

      Filesize

      208KB

      Download