Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    32s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 19:52

General

  • Target

    0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe

  • Size

    1.1MB

  • MD5

    2776c677ab8e79801a0d55a16dffb755

  • SHA1

    0b5aa9e75ca8ffccf7d2d4aa883ae54f17aa793b

  • SHA256

    0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347

  • SHA512

    8e15a49488fba8f3c12f7186c4d85e52a3daa4a31e9294b6fa0cfb553114660c4a98a27798d3899501596de61d7befa9e4cec97910a348c228ffd381cf53d689

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe
    "C:\Users\Admin\AppData\Local\Temp\0697584ad6c4f6f96e77c089068687a7d8de51acb9a99ff56ca69afe62bf7347.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2344
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2960
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                  8⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2248
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1688
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                      10⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2008
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2520
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1060
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    fd385852946bf4105186e88d22994075

    SHA1

    4e9b4da2f6a2c0db97c34b57322d718dc49695fc

    SHA256

    ad11487e0da169a8c63f7b87b8b22a4e87f42af971b5d2e03c2f1f81dfad249d

    SHA512

    452867bad71bf4f5057f5a5dd06505fdaf720be88e385f8bd2785436bfd2123a7d849fb5a10c4f25558c37272ca2e3820f9abe139ea05701ce2b2fe93524a104

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    774844b08b364b32d1209ef0d962d2fd

    SHA1

    967a30d076aa269a5cef321d36ac1f5c1eb180cb

    SHA256

    c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

    SHA512

    2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    ad7007ed9542468662553e405df66821

    SHA1

    757c5ee287a113d689f2d370176fcf9c9e1223a3

    SHA256

    12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

    SHA512

    812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    7a01dad1af2b3e0327e1d352436bbcd7

    SHA1

    10612930777b11e8edeb9bd33c74a6a2404c9d6b

    SHA256

    185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

    SHA512

    1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    1af246ca0660faf0fa7da4b4c9c61316

    SHA1

    c050b0bd311f2e5240cd7e9df583e41b133e9521

    SHA256

    2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

    SHA512

    3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    10446ede5c5453f9b654ea3e34045426

    SHA1

    28d00f0dc679bd7041e090975be7173699ea8300

    SHA256

    880664d94df92dc818961aab93989d3b61e54f373a7828dfc28bd3fbe947431f

    SHA512

    e726a3a61968bcd450e88ef77b9b8719200ce617b42316401c0d047c78d629b3c04e01c7bae2c9b8c9d62f7102fdedc63a9c58103c035a2223218f24d26a0b8f

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    f9e8976b0f859edf24a7adff1fc7d284

    SHA1

    99a0e82342867c32c721a72f928d5b9fedd4b3f6

    SHA256

    640e207c278d6a619d8d91c2efa0401256518298587f85d7c03e57f8ff87ce4f

    SHA512

    bd02671cf4a9d8ab6696f003e8b8eefa3d4a76a0d724bfaa17a1ba4d33c9136086636a024f9943bda530e8c6c8f32537cf1d605347dbb3f13e5dcda400a4fa19

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    fc4d1291c634aeb080a714fb6b34a648

    SHA1

    a3ea1a68450c8610f6616441f43d5512dd246126

    SHA256

    e317dcfe0be99a920ad2f575248c75e06806ed6a578d1e62ff00b92020a1a701

    SHA512

    9cbbfbbe3974846480bc7aac67197fe843539b839c103f1cff127fa7ed7b11fededde4314d6e9ba52472e681bfec85e2555c33b00d24084dfa77f76673efaf15

  • memory/2224-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB