Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2024, 20:43

General

  • Target

    1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe

  • Size

    1.1MB

  • MD5

    a0355b8e3ef2cad724fc6ced7e45ab2a

  • SHA1

    abdf578bfde36f4efe62c4b79bc415701de18483

  • SHA256

    1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8

  • SHA512

    c78dde76cc660b5ed4c05a0a53cfe08676438aa7d051322e4c14c45a05d69c0fdad93c703dea664b95815e6953fdd283e0e870d417f436dc1539304d27ca44e3

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QH:acallSllG4ZM7QzMg

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
    "C:\Users\Admin\AppData\Local\Temp\1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3532
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4548
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3576
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:736
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4916
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    93bffb400f506fbd69421b6075802c65

    SHA1

    b9d8c4ea6a8fd739f6cf167e1f58412525f15784

    SHA256

    2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

    SHA512

    e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    a2062675385b4e657fcd794947c827f6

    SHA1

    f411b0140c62d3ae2104dee6c6f1def153ab7028

    SHA256

    b2e6ceb42761f1419a6b3345b7edd7f35cc80c5d02186c894fb37b7d1f8376ff

    SHA512

    9a19aed10ffea749d0f96c4e4a285260893bbb88c50da79d5f157d39de770618f56dadb0d8d71ca3c6d5aa71d1ddc5fb9f40460c6f4d0b375fa11596e76608a5

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    427acf0d31e4c051a5ecca486df18aaa

    SHA1

    66ed2e8e5533846366375ce855fb7b5d574d97fc

    SHA256

    397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

    SHA512

    aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    3cfd020cfc5f37a3ecdb8839d7badad8

    SHA1

    2465c818e799788f7d0f59373b8ec33399edcb33

    SHA256

    2b5ff6e0b6706fdc79abd25b46eb1e05a31ff5cce2f644a0eac0d52543d780fb

    SHA512

    c8dd565ea9717c8a512bdb5f657274859c4738f7b3be84f60439251b3a0ef9ec5317ef85b5178d33f0ffbc0008ee30b13c622e70c673a8a8942a6aa2b9da168d

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    c195dd2134ced54d04f96d70695bc5ce

    SHA1

    7409ad246bae8c4345ef9cd8303372fb49ab5355

    SHA256

    cc08d8ec418f4ed5648f0c739746d0dfccb9c8ae94281f5e6f20e318a85cfe7f

    SHA512

    01363920eaed44c2dbc870b09b136282c5f8d57e4132b29e9e07d81c0cdcdff83071ae44880fda523f51920c08629e2a0eb4bcc0c743912f61fd94011e358443

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    9f0997a2fc22ad267bef67c26d3ecd07

    SHA1

    0c940c1652facc572353b6f73755dea28781db6e

    SHA256

    6b36ebfec1f60cd2cccf3c5b510f08a8638faf906ef04678ba9d1df8b75e319a

    SHA512

    361a7ef0b622ecaec2834f7c437b93af2877237aa3393b0f7ea9f1316ae5b09b5d6188b697c0dc85ffdf25c20f804780a147c086e5c188853830844f4701a881

  • memory/3532-26-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/3532-36-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/3576-40-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/3576-42-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4084-23-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4916-41-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/4916-43-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/5068-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/5068-10-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB