Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
12/05/2024, 20:14
General
-
Target
1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe
-
Size
1.1MB
-
MD5
ffbf739ca37b3b5b8ac99e862022f732
-
SHA1
c8fdf6104b78e8648f35b38fac06553b48a61f02
-
SHA256
1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650
-
SHA512
e1a6bb925f6ce60257cd6449a0c97c5aabac42b5c82d8149a00764e2cee5d87ae3f636cea0fea0d872757868f72dfd0a4443b6d8e42266ff236c17c2c5fee6ee
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe"C:\Users\Admin\AppData\Local\Temp\1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD53cf4238174770d6572fa1f2b06a95d5d
SHA1208d822e4dcec2461d9542b65904ba8c03744450
SHA2565e0569c6c70205d2886e2e42f2027d5fb18f83fcd2e1ae90ae95cd6ca693e9dd
SHA5129e8bc0cd56d8a7572dc54eaed2c4f6f5326e6728ffa3f8adfd3d8eb74e94999681bb309db0aea89d5a004668bc49e5ff4c97f7146bc01e8db729e6679f899811
-
Filesize
1.1MB
MD5c1333e046773fde45404e4183c574525
SHA1f0fe84ff53542d141d6082b2885d99a67245c085
SHA25645e11298b7f48a9115bf15431e51204976565490311967d7df71998d285bc2e7
SHA512067bd5b2afa1c9d55e5cd48e2ac5603e243cad2d6a3ac5c92e4fae74e5021b676a2d5c649ef565802d165119a293be2adba3a79c2aaf7bb360832282714d99c3
-
Filesize
1.3MB