Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 19:43

General

  • Target

    72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe

  • Size

    1.1MB

  • MD5

    ec54458396f86ab193496530067c9f4d

  • SHA1

    cde2f1466cb3f5917d2d2e65f6ce29c60e008374

  • SHA256

    72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755

  • SHA512

    c2a6264510ff5bf9cbbcf4a8e568227ce0de474a93fa82861c9df07a0904f53e4f4ab44c9cc066d4049b4d676157bdcc8616cf5abee163dd8dbe8d74764af701

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMx

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
    "C:\Users\Admin\AppData\Local\Temp\72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2628
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4516
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    0467537c0f6539f5f60050ac80e72a1a

    SHA1

    8a8c713017ba7b05e658e44808874e0cd94fa73e

    SHA256

    5e0ad29df9755c41b4ad7fb38eb687ce1ba2025c478220da86a13b980e1d96a3

    SHA512

    3129d107b140f6656f4ede8fed4927c42564093e8f4aac9b6c6d80afc98a0a72b327ca13df34fef68d58cec2517ffdd773a2cd5c30fdf62524868328a3c17b68

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    d7e57302723e6adcd36bc753c7cb3d1b

    SHA1

    24f5af99f2988b5fa7383dae1f53347b597956a3

    SHA256

    abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

    SHA512

    0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    ff021ef96257d51c30c7d93f60c7f120

    SHA1

    1e30fb578966b18d58a3f3f91abfd5c267e22844

    SHA256

    b268de77baaad7c2857c702ad2a4504c4db1f42da4b5860613a6e9f98d39cab4

    SHA512

    6174b1b1b4c38dc0920e1748687e1f5273b666016de585a31e2013ebc23c1b52cd6fb68079a43ea5b2e3ecef46f819e8f0ce4a2b787ef3ca417e2b103eabec1b

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    ac4ec5f4cdcb2abc8e03808dce256dc2

    SHA1

    c5ddd07033d5dd6f34f982c240425c8153bfd5c1

    SHA256

    17561507a2b554c98268c4ed7b0217de98fe99d0b5db04a0df91b57a3f743030

    SHA512

    136275cb7ad9d4989b9240321fc2b82c4492b594b389dfb2053ad155c0ba19e35a694c06bec15e8e7ea1bc04a159543ea26c034867593661ef2f88db0e3a9e5f

  • memory/224-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB