Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 06:55
Static task
static1
Behavioral task
behavioral1
Sample
093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
Resource
win10v2004-20240709-en
General
-
Target
093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
-
Size
1.1MB
-
MD5
416665dc85736f7667e544e0aa830fda
-
SHA1
c602e02564cc3c6283aac2838ab40201b69f20d5
-
SHA256
093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2
-
SHA512
737bf453a1446c183642d16c87c50f3b1af9b0d93bb6aafca30525c0c4bcbb04739945e54eb7452cde0a1f7c5f211634623ab0a8521d384bf25d95316c47584b
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QQ:acallSllG4ZM7QzM3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 644 svchcst.exe -
Executes dropped EXE 3 IoCs
pid Process 644 svchcst.exe 2352 svchcst.exe 2420 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings svchcst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe 644 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 644 svchcst.exe 644 svchcst.exe 2352 svchcst.exe 2352 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3992 wrote to memory of 2968 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 88 PID 3992 wrote to memory of 2968 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 88 PID 3992 wrote to memory of 2968 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 88 PID 3992 wrote to memory of 1460 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 87 PID 3992 wrote to memory of 1460 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 87 PID 3992 wrote to memory of 1460 3992 093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe 87 PID 1460 wrote to memory of 644 1460 WScript.exe 94 PID 1460 wrote to memory of 644 1460 WScript.exe 94 PID 1460 wrote to memory of 644 1460 WScript.exe 94 PID 644 wrote to memory of 1352 644 svchcst.exe 95 PID 644 wrote to memory of 1352 644 svchcst.exe 95 PID 644 wrote to memory of 1352 644 svchcst.exe 95 PID 644 wrote to memory of 1456 644 svchcst.exe 96 PID 644 wrote to memory of 1456 644 svchcst.exe 96 PID 644 wrote to memory of 1456 644 svchcst.exe 96 PID 1352 wrote to memory of 2352 1352 WScript.exe 99 PID 1352 wrote to memory of 2352 1352 WScript.exe 99 PID 1352 wrote to memory of 2352 1352 WScript.exe 99 PID 1456 wrote to memory of 2420 1456 WScript.exe 100 PID 1456 wrote to memory of 2420 1456 WScript.exe 100 PID 1456 wrote to memory of 2420 1456 WScript.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe"C:\Users\Admin\AppData\Local\Temp\093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2352
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5cbcfddb745d33d8b880c26d0435da6de
SHA1480ddb66f5a462cedca5539be8b16e070d3cb7a5
SHA2567758f9b1c25ed3ca42d1084054b9680cac2dbb8fbc28d8cd1e1c1199b0efa2ab
SHA51205e0ce06776d058492c1b942ada433f78f6237e36692593ee3d61146e0e1bd5ebb0089184d2338ba4e65c21c6e9265de261ef70b6ab850f05c1afed297be67ae
-
Filesize
696B
MD5dabf4e9d32908d961aaffdd1c77d4879
SHA1e41572d98b7452016fb004c843236377364ab1d3
SHA2563488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19
SHA512911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa
-
Filesize
1.1MB
MD5d7899a98349c12cab8a9036d9a8b9bf3
SHA14995cafe7441661113132bb3a13c030df3a08186
SHA2568d33ed65f124301dab741efd22c6deff5ac342738ee642a77498158e9457dd16
SHA512a4a137746c91c7fb6e552af5e3ec2817ea39c4ab1b19a1cea012899cf64757051bd9b2d996809e594a1d2150a4a94600d9b782b3abe600a376ce621b1898935a
-
Filesize
1.1MB
MD568b7d400bf76f840ff6ef9cfa7bbf018
SHA196504219a9ea759817e44f866d8fce4ea66ce6ff
SHA256f856c2314509d9c2d75d21c4448445115c20e0b1d9edb1d25fa6819e244dd0d0
SHA51244369970f4879d42d09ac453994043e47b2b36477d0f7d210460ec66a6189fb93c5926f1e6ab29f8fc8ab827a49dd48da6ef6713cf157ffda9780a5abafe3e85