Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 18:18
Static task
static1
Behavioral task
behavioral1
Sample
6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
Resource
win10v2004-20240426-en
General
-
Target
6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe
-
Size
1.1MB
-
MD5
fea8accdfb20e7974dc7f65cd644b809
-
SHA1
16a251f7610784026d354d59f5e94b1ef8436aff
-
SHA256
6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d
-
SHA512
6d75e0b0989437a78471e05b2471cc42c3086f937aa30cfd8a524f241f7cfe3e662079aed80178d8c415bd07f378aca5e68a7fa351439d4910852f66ccb750ca
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QY:acallSllG4ZM7QzMf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2788 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 2788 svchcst.exe 2992 svchcst.exe -
Loads dropped DLL 4 IoCs
pid Process 3064 WScript.exe 2516 WScript.exe 3064 WScript.exe 2516 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe 2788 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 2788 svchcst.exe 2788 svchcst.exe 2992 svchcst.exe 2992 svchcst.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2516 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 29 PID 2888 wrote to memory of 2516 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 29 PID 2888 wrote to memory of 2516 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 29 PID 2888 wrote to memory of 2516 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 29 PID 2888 wrote to memory of 3064 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 28 PID 2888 wrote to memory of 3064 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 28 PID 2888 wrote to memory of 3064 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 28 PID 2888 wrote to memory of 3064 2888 6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe 28 PID 3064 wrote to memory of 2788 3064 WScript.exe 31 PID 3064 wrote to memory of 2788 3064 WScript.exe 31 PID 3064 wrote to memory of 2788 3064 WScript.exe 31 PID 3064 wrote to memory of 2788 3064 WScript.exe 31 PID 2516 wrote to memory of 2992 2516 WScript.exe 32 PID 2516 wrote to memory of 2992 2516 WScript.exe 32 PID 2516 wrote to memory of 2992 2516 WScript.exe 32 PID 2516 wrote to memory of 2992 2516 WScript.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe"C:\Users\Admin\AppData\Local\Temp\6e27926f4803530380dc896a21ef51d6fe9e1783aef0a7005cce5b4c4329900d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD54174cd325ac93bb52824a0ee96ea5105
SHA1a81da775db4e693a793b9c42e7881e8338eb4c3e
SHA256a96f0202d155ef17f240b0018cc7f31fac7a9c7379a3a929bf1bdda09153855b
SHA5122d3329f585ec8e08a0f1c229d27b0eee6a24113823aeadf3897d380847046d3c2494118a48eaecd7f2c67db95a9f2513dcbcb3d199be4bdf91977c9a74162902
-
Filesize
1.1MB
MD588173b03b9b592f5fc5ee1bb22df7699
SHA15f3061b4f45a6d32f652ff48ebddcea22077d4cb
SHA2567e4f4811e16caef4e68b2d8b7a2889f9bd980cef4f3341ccc9d6a487b5c549f2
SHA512bf73370b1701401b3943eaed1265a0a2311764f327ade474c84353eff2dac224540d21aa4f36d02b73d6ae1eb1bb685dac6f81df4c9beb2d64c292829c8a12ec