Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 21:05

General

  • Target

    a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe

  • Size

    1.1MB

  • MD5

    29b0df87da22fc91e048535e4cd39734

  • SHA1

    530e44aecc469182b45f40d8adcd7f85f032e9c5

  • SHA256

    a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626

  • SHA512

    246aff82b288cd6364be440ba60accd453d54d03b3994668ec054080d87e4d2b822cae82d939aebd463f94a3d71754ed69ec02ddba7a16db5655dba1347d476c

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QJ:CcaClSFlG4ZM7QzMK

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe
    "C:\Users\Admin\AppData\Local\Temp\a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3128
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    f5ffcc41261110b4593a4d2f16629e4d

    SHA1

    e4b9385bd7a37fd38dc8beffaecad09b0f9a7bcf

    SHA256

    755b3ef9f4ccce56d1c817ca5093b1b143f5d1c0c3fc6bc25310b767c5a1ca23

    SHA512

    8743e71c89c869a9eda17b343f39ce0f477911a0992e2090a84a850c9a1b891c8dbe8c202c8b93035878399cd3cb3864c78497f9c25d521e3a42a26dd71702e2

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    b8c37e5f09eac75fb9bfc6e7bcc3633a

    SHA1

    499aa7f2f461f6aee7b726c2a30fe8014e9682ae

    SHA256

    ff466ac382b894f943b4af867a1d6027176a239457b87fa97c997b8c16f3aecd

    SHA512

    2d31b0990488e43677bbec542ac069f5b3f5ee3194b183061b847912f7dbf4c1b54750babb2cc8e8bb31abb4fee5d4785ecddbf85af50c589eff19987827f845

  • memory/1140-10-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB