Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 21:18

General

  • Target

    c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe

  • Size

    1.1MB

  • MD5

    78b52e14fbfe7ef408182a904f1ce54f

  • SHA1

    b0ffdc6c381796b7f614c2219cab062d6d6d06bc

  • SHA256

    c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa

  • SHA512

    7920bee63a78a6e17e3330e78549617936d09f84d8d0901c253553e2a9d5c04fa01a2e008689802e63d8b0f907f487ca1431ee54585667a0a0175e931a216e84

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMh

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
    "C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4552
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    adb696708c926ff9bbf48b75438c7d53

    SHA1

    969b207cf39151904e761786492e66d3c4771370

    SHA256

    725f9166d97352722a48918a31d8cbf6d51d78d39d30bdbd07a962cd16dfe039

    SHA512

    5833ff27153270aae0078b09c063f87b261ed5f3f8b3bb5bed71b2738f3960b91f072e58cb15c7793b1855077f3cc9055c440fa3cb04181a90262333aff04428

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    03fb7256a2242d4293d8749d7f121721

    SHA1

    b5b3a78f2be9c570c1aeb9078ad135190dec70f9

    SHA256

    15cd338b48030f0ae82978ff832d9b40a0d06e105b300e81b9a8eac93f956e47

    SHA512

    f5e374ba10876864e1591a5efef6c2a9bf47113cc1dfcbde724b9c046d75b73d522b5aca30220e667b3fa97032b4470b221de451fa17a02606cfa8c946502b7e

  • memory/4580-10-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB