Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 04:50

General

  • Target

    812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe

  • Size

    1.1MB

  • MD5

    ecdd03327b5b7772de069c9eead50239

  • SHA1

    0cc5066d15a5314caeea56b8aa8c3203df9e1983

  • SHA256

    812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973

  • SHA512

    ea498f1ae0050404237add5c063e40b9883562c5fe143765ca603558e718c08ae07129f6c52fd2e3fea23c3b3ee94d6cee4a15ad63341f2153f35e2803b0b6fd

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QO:acallSllG4ZM7QzMV

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe
    "C:\Users\Admin\AppData\Local\Temp\812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:1200
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        2⤵
          PID:4812
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          2⤵
            PID:696
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
            2⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1660
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
            2⤵
              PID:4124
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              2⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3404
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3112
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              2⤵
                PID:4540
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                2⤵
                • Checks computer location settings
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2120
                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                  3⤵
                  • Deletes itself
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:5028
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:1616

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

                Filesize

                753B

                MD5

                dd67b0be652da6b1dee82dfa31f66a7b

                SHA1

                30c86db709d87ab52a330ab3c60c1d597d15842d

                SHA256

                1702100805c8c1bcf4f1be2f7db9c5eb80b867f31b3ad4f6310bbf1ed5aef0c1

                SHA512

                c22421cd5727264784d8e36380327d5ae9d85f6927c3f35e3cf2e18377e54ff05e554518f2d5fc33ffacd57c0315760f701e6f8f7f252eb98e37fbcab423472a

              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

                Filesize

                1.1MB

                MD5

                79400e7a5dc1c2e9381c30d40ec1e710

                SHA1

                9d9649cd14e96a9231beaf39f093e1adf3960ac5

                SHA256

                099cf4388f0a8d919414c5990c3d0bbdaf1d070eeb3c800b7c0615c66684e589

                SHA512

                299e940406a1757ec2d465b7b9ccb1cec386fbd3d3347826aded706529eaf487f52a3e0360527f1e9ac50965f4c2b84c7e32190e3609c86964dd74595f7f43c6

              • memory/1616-0-0x0000000000400000-0x000000000055F000-memory.dmp

                Filesize

                1.4MB

              • memory/1616-23-0x0000000000400000-0x000000000055F000-memory.dmp

                Filesize

                1.4MB

              • memory/1660-30-0x0000000000400000-0x000000000055F000-memory.dmp

                Filesize

                1.4MB

              • memory/3112-29-0x0000000000400000-0x000000000055F000-memory.dmp

                Filesize

                1.4MB

              • memory/5028-27-0x0000000000400000-0x000000000055F000-memory.dmp

                Filesize

                1.4MB

              • memory/5028-31-0x0000000000400000-0x000000000055F000-memory.dmp

                Filesize

                1.4MB