Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
Resource
win10v2004-20240802-en
General
-
Target
182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe
-
Size
1.1MB
-
MD5
bddedb07f37c6c5c91af3fd90ec033eb
-
SHA1
0c9da9da680ecc74d0641b1993850d254394b040
-
SHA256
182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c
-
SHA512
815a22c97f3d1425207da54ec837fa7b8f61d9aa1e4eae571309bf0d2fa6b8e529f1cb38e4913247a2ed82ec860d65c38658b206bf235e842f701ae04d523eb3
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe -
Deletes itself 1 IoCs
pid Process 4828 svchcst.exe -
Executes dropped EXE 3 IoCs
pid Process 4828 svchcst.exe 4468 svchcst.exe 4112 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings svchcst.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe 4828 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 4828 svchcst.exe 4828 svchcst.exe 4468 svchcst.exe 4468 svchcst.exe 4112 svchcst.exe 4112 svchcst.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4948 wrote to memory of 3904 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 93 PID 4948 wrote to memory of 3904 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 93 PID 4948 wrote to memory of 3904 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 93 PID 4948 wrote to memory of 660 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 94 PID 4948 wrote to memory of 660 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 94 PID 4948 wrote to memory of 660 4948 182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe 94 PID 3904 wrote to memory of 4828 3904 WScript.exe 97 PID 3904 wrote to memory of 4828 3904 WScript.exe 97 PID 3904 wrote to memory of 4828 3904 WScript.exe 97 PID 4828 wrote to memory of 1648 4828 svchcst.exe 98 PID 4828 wrote to memory of 1648 4828 svchcst.exe 98 PID 4828 wrote to memory of 1648 4828 svchcst.exe 98 PID 4828 wrote to memory of 1480 4828 svchcst.exe 99 PID 4828 wrote to memory of 1480 4828 svchcst.exe 99 PID 4828 wrote to memory of 1480 4828 svchcst.exe 99 PID 1480 wrote to memory of 4112 1480 WScript.exe 101 PID 1480 wrote to memory of 4112 1480 WScript.exe 101 PID 1480 wrote to memory of 4112 1480 WScript.exe 101 PID 1648 wrote to memory of 4468 1648 WScript.exe 100 PID 1648 wrote to memory of 4468 1648 WScript.exe 100 PID 1648 wrote to memory of 4468 1648 WScript.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe"C:\Users\Admin\AppData\Local\Temp\182b76ddd18c00cb3ab5a0d7432fba31712eecb2a89279bce38114bdb7a48b1c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:81⤵PID:2288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD50704f1e1a9281e2eb1815628da27ba05
SHA17e9e9c8390f5a57f8a2745c111d3b1ecaa73cf72
SHA2562e15a444175881175fc4d5e21fd24eaf2c2c559df9e71afeff5626ee75ed6a7b
SHA5121d76ed310f66fb457b0e23882b61fee6be55fc381485f2772b6e5d1e08282475545af9d62f53ba41be8016af1fb879116cf49cdc3779fa9abd0929bd7894259b
-
Filesize
696B
MD55ef4272f4d6f345fc8cc1b2f059c81b4
SHA178bcb559f775d70e10396e1d6d7b95c28d2645d1
SHA25619f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652
SHA512002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb
-
Filesize
1.1MB
MD50949e1db3ac5364609e3c4635430a028
SHA133acb003118ee293d1a29f50b4bfc61a670333a4
SHA2568db2b68c744745c45059f0a409fb5d0373c8f912d8dd33db6178504cb0d27726
SHA512644f931144526a859a8361991ef05e798e72931b8b2621c640649a7213a8f9e7127202f665a9b6ae7d09e4482e786b83b95224b283c3651db54cd638c2b2489b
-
Filesize
1.1MB
MD5cf72bb547d8957d1570264706fed042e
SHA1f617662c1b423bdbebb564b2366471a03685d198
SHA25637752b550920c50f4fa27e350f63e2aa2c3209abf880b20cd95c8cd43e4af674
SHA512ac7364a573dc0257a02a5b51f1574aefbb55520b912bcf9002059a1a293ee39aefd7e178c50c174000bdf6df2e2ebae4eb597bb9317a0dee297ce728991f0cbc