Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
Resource
win10v2004-20240508-en
General
-
Target
7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe
-
Size
1.1MB
-
MD5
4e32671a0711acaba3491dc6f6831abb
-
SHA1
b54015af6fe3b41bdd990f1345b29dfc59542099
-
SHA256
7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12
-
SHA512
a8d04478efdfde0dbd31aabfc2507c60b3040bf7848836676f493cc4ccaaeb6141e1b5be99e0ef4b50220bb0a6d7ca00c8edead191ed2480e88e7b6ad487c71d
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzML
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 3748 svchcst.exe -
Executes dropped EXE 3 IoCs
pid Process 3748 svchcst.exe 2648 svchcst.exe 3896 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings svchcst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe 3748 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 3748 svchcst.exe 3748 svchcst.exe 2648 svchcst.exe 2648 svchcst.exe 3896 svchcst.exe 3896 svchcst.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 60 wrote to memory of 4692 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 83 PID 60 wrote to memory of 4692 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 83 PID 60 wrote to memory of 4692 60 7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe 83 PID 4692 wrote to memory of 3748 4692 WScript.exe 95 PID 4692 wrote to memory of 3748 4692 WScript.exe 95 PID 4692 wrote to memory of 3748 4692 WScript.exe 95 PID 3748 wrote to memory of 4940 3748 svchcst.exe 96 PID 3748 wrote to memory of 4940 3748 svchcst.exe 96 PID 3748 wrote to memory of 4940 3748 svchcst.exe 96 PID 3748 wrote to memory of 2444 3748 svchcst.exe 97 PID 3748 wrote to memory of 2444 3748 svchcst.exe 97 PID 3748 wrote to memory of 2444 3748 svchcst.exe 97 PID 4940 wrote to memory of 2648 4940 WScript.exe 100 PID 4940 wrote to memory of 2648 4940 WScript.exe 100 PID 4940 wrote to memory of 2648 4940 WScript.exe 100 PID 2444 wrote to memory of 3896 2444 WScript.exe 101 PID 2444 wrote to memory of 3896 2444 WScript.exe 101 PID 2444 wrote to memory of 3896 2444 WScript.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe"C:\Users\Admin\AppData\Local\Temp\7fb5c312fdbcb31ef86f8128f278e27b3f5a27989582963b73315d31e6679e12.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5988ed5cdcd279cefc19a4102761b1643
SHA1d3feea4fb669b63dbbb0d7226160f2af4a218ade
SHA2564ee952f86b44c14f8bae5225d752acf57922ec39be0a68447c69c442cf11477f
SHA5128f8147f1d8415fb1d06ea92fc2b73e7b1ce93556d07b46429c91fc0d8cf07dfbf2de9e467cf7ab856bb8bbe6f46029abbc486c7be970d4a9f5acd3b05fe4f513
-
Filesize
696B
MD5f2d2f31794455ef80ea8a41b0b218045
SHA1926c4e45922f43c6afc2cb31d96b5b35d4db3cae
SHA256698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141
SHA51236cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714
-
Filesize
1.1MB
MD567362ea815f762cdce9a985492bf5e04
SHA12cc916da60f8d946a346c1cab5cea7743ab0c1d4
SHA25648fe31891303bd41d21c8ed1c1e55baa2c3207ddccce11ac7532f69b03ef086d
SHA51265373968a0bf7040055627f8c2908f50e61ae6ef863222799201f1972abd43121647aad90d288692f025ba584dd514f6b1be6b691781214ac59f40b2cb688602
-
Filesize
1.1MB
MD540135c2c749fa3579e9e4180ca163b1d
SHA10fb3c069540fc1ebfa9c2a859ee89e31d21d5a20
SHA256c06b2ba7a89f46cd067a97f443db128c3a08807ec1ebc679b88523858f75588d
SHA512fb8b5973aa092bc81ddd560f900bfa469272e555e9cd972b608a69791d9118decfabddb987e5e2ac81633e5c94e4c18c61ab4bae627353119ad400a29cedac60