Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/05/2024, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
Resource
win10v2004-20240426-en
General
-
Target
e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe
-
Size
1.1MB
-
MD5
346b006ed1c6db3975fc0d51fc93da79
-
SHA1
1094ff38618e1b1491e1ad1d0b0fb6b0fdfdf1de
-
SHA256
e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080
-
SHA512
c3e799ba81ff91c3ea562fd909902fd17cd414288aa1ee7e4182d66c594ab326589e22e583577c6d3d03816e0ee014910e4b7651e48c6a289f45cd3b7dc63e8f
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QV:CcaClSFlG4ZM7QzMe
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2932 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 2932 svchcst.exe 3060 svchcst.exe -
Loads dropped DLL 4 IoCs
pid Process 2532 WScript.exe 2400 WScript.exe 2532 WScript.exe 2400 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 2932 svchcst.exe 2932 svchcst.exe 3060 svchcst.exe 3060 svchcst.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2532 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 28 PID 2128 wrote to memory of 2532 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 28 PID 2128 wrote to memory of 2532 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 28 PID 2128 wrote to memory of 2532 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 28 PID 2128 wrote to memory of 2400 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 29 PID 2128 wrote to memory of 2400 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 29 PID 2128 wrote to memory of 2400 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 29 PID 2128 wrote to memory of 2400 2128 e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe 29 PID 2532 wrote to memory of 2932 2532 WScript.exe 31 PID 2532 wrote to memory of 2932 2532 WScript.exe 31 PID 2532 wrote to memory of 2932 2532 WScript.exe 31 PID 2532 wrote to memory of 2932 2532 WScript.exe 31 PID 2400 wrote to memory of 3060 2400 WScript.exe 32 PID 2400 wrote to memory of 3060 2400 WScript.exe 32 PID 2400 wrote to memory of 3060 2400 WScript.exe 32 PID 2400 wrote to memory of 3060 2400 WScript.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe"C:\Users\Admin\AppData\Local\Temp\e48526a7b92ee772012049ea8067cfad431d95ced281aa7f19af7e6d5fd0a080.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD567576ab661ce768d4f5611a4e2d67248
SHA1d8f4b8e58a745e027dbbc723600a6dfea5941bd1
SHA2562ce7fa120e58814ea0d35c29d93abbe1ee7712167418b034db0994209f90ba2e
SHA512d7b55e7a392f2404afe73ba7930363775ce976cf047f7a37faa657b6f1c65006bba0dd9645c34056850206b3184a483430bb357634bc7a4d9adf44461a5bf77e
-
Filesize
1.1MB
MD5f8d9467e59935ad6176a4ad5fbb5c626
SHA128851889d212409fd9987f1e997ef2ae6c2b63d4
SHA25622857d291296c49577be86a3f51cb2c2e2785b543b43e022b63f5ddb48767b42
SHA512febd2dde87e3b1ace2fa67ecef03f4a28e2b96cf03b0e86695fbbf3089771bdac5c073762a114b8797248eb093f149a2a433df905385452355ebea5d48e78150