Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 21:35
General
-
Target
5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe
-
Size
1.1MB
-
MD5
ce7a8e897f2a56326daad9fca0ae9224
-
SHA1
15f642d93a416833d810b7b67bf803e5b4623b9e
-
SHA256
5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134
-
SHA512
a5f3816484e05f598b1ae23b9e0bae4a47c05eed8b80777d67b105d486c0cdfd9175a0c81587098550f2789360f02b3fd18cc770f0a8144af2de04ebb7ce8fd7
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QN:acallSllG4ZM7QzM2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe"C:\Users\Admin\AppData\Local\Temp\5dd51fdf1f58462390fe601b07e2d499fcad629818715423304b229155957134.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD552961133c2e5304f757ee3c8a7aeca46
SHA14d984a53aa4228b647304260ff0664b75bf68151
SHA256b5258b2632665aa7c3f57cde356a0f76e7b7a2f21032ec4534a80264b626e6b1
SHA5129a76a9ce46baf5cfe8f9acdf672b860ea332bd204e8469ad5f4b308487727bb177f7fbb749f183e8b288cca081a11e55eb7ceda54965ca09c1f12ed33c2950f0
-
Filesize
1.1MB
MD5a364bbc534bd9a16fd1f7c838d58fa2e
SHA17ffd4e86dd3946fc618e27131d876b0c17bbf28d
SHA256011b676abcdd50645172dc11c72841ce28740f4aac0ea9a9730daaeb541dee9d
SHA512bfd922d798d522a4a8e6a2a4df6b7120693fd91bec32c0d32a901610a943a7b2e9e0a15ce319f9e1771a2ffea0ca1b167d7c83c08f655347e8c7711e86f58b03
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB