Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1c3132b3eb...f3.exe

windows7-x64

7

1c3132b3eb...f3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe

  • Size

    1.1MB

  • MD5

    0871852791f40a442b0284ea5123f3f4

  • SHA1

    4c694eefc156a7ce9b30d267588265bc5dea3b65

  • SHA256

    1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3

  • SHA512

    094eef7df3de266768b4b3cb0dcc2b691e66902fe35a60443e105f119d0676ab5cfe94ad622e8fa58e3356a7e4f05a313f4edea8a39a80065c03333b39cac13f

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qo:CcaClSFlG4ZM7QzM/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe
    "C:\Users\Admin\AppData\Local\Temp\1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2092
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4336
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2260
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3776
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    753B

    MD5

    f0298669b4e84042ba9a9d84e18fd656

    SHA1

    990b1ac94bb3bc1e41faba72a76741c37d278d1c

    SHA256

    d28a5da14e25590eaa65ba139cd2df0eb5d255dd1de3786876c0f6674975bed8

    SHA512

    1a870571a66cc3191419b00c5e2289be1ba2c5db0d06688230f043cb8a2d9d6fc71c263c958de70d6a6814673fb644e1e7eb2e4ca1ffc6af1d64f3534cc9dbb2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    ae75c3a96c26ddc15e3c678434b18374

    SHA1

    7abb4cd173f5c8565c891bc5305922439e880fed

    SHA256

    1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

    SHA512

    e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
    Filesize

    696B

    MD5

    c1f667683c1809dc2fa81d863ea10a4e

    SHA1

    dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

    SHA256

    a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

    SHA512

    e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    8565e011109fe0a84e5bca5e3e909594

    SHA1

    019201ec15ac890478fd203d1cb1658d26052e4d

    SHA256

    c766eb8fede4ee098e0ca2b8eaec3e6a900ea9dec8a4435d9b5f761c58feb271

    SHA512

    f404ee878cb7c37b1adedd109e12c3985766016d585eea68bb785fedc7b4a4d64086e5bc496dcdaa86541240eb0b373103853e5a09377adbe805f0d4cea77c35

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    1ab0fbb2b01e23b78118b36228805ae9

    SHA1

    37f382438cedd5587c95dddae92654471d0b11e2

    SHA256

    5a32b19305275f74d7903c8461669ee178984192c8205460129e20e7f6877c99

    SHA512

    c3f17665abeb2a18829c4c61888f2b93753ac284e48540d8009ab2f0cc938204bc52b12661af465dece3f1d9be2f5a14da3d5ae4a21407005631eaa685d72730

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    Filesize

    1.1MB

    MD5

    0ed3834bf2b54c24712029cbcf724939

    SHA1

    82103cc9a11686279055126e90ee6faa40ad10c0

    SHA256

    2d2f9be1edf61e9623f34e29763825e81c7f540ddb5bb2ed3a28de2b28f807f4

    SHA512

    7cfb07db2bb93d2b923f5f8f287dcecfb954f314e90787ec8d9fe426624be3d9c3e05575081f6d2c9c43ed619cf407bb886dde272ee2cc5fa8f705bf0e157fba

    Download Submit

  • memory/3980-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB

    Download