Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 22:34

General

  • Target

    e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe

  • Size

    1.1MB

  • MD5

    87745f72b277da3d73e59060ab58a56a

  • SHA1

    ed249b08ecca92169511f946210307ab170226b1

  • SHA256

    e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb

  • SHA512

    c99e2f7907ad2f876a06adcfa2a5e27bbaf2e668586ee80269b714d2fd3f3e43cb5a28b521a6cd39457fb635f7d02250235111b56ebf3df5b877bffc65dd30dd

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QU:acallSllG4ZM7QzMT

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
    "C:\Users\Admin\AppData\Local\Temp\e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:928
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    48584fd7766a030c8d37b0d7a57ad6fd

    SHA1

    b5cf5856d9b1816a191301ff2051e467dc0589fc

    SHA256

    4fe422f4a15e912533211453c3c02b46167e3a9f20bfaa524b6938c18450667f

    SHA512

    2e3fcc10495adbf5e6183284a40c38185d466669f00cb95fefa48096e99a5d443dd91693370b005886d4c20984134bc316cac036642a247673b491b7d7bb6381

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    4f41ef584f6d9594a37e70aec33fd152

    SHA1

    9ed67f67385a01d71c0bdd2a7c126a63a27def50

    SHA256

    b906e5eee12a7d17d68f7bf2008d9dce3bdbc79eb19288d161e6c5c2467a1aa4

    SHA512

    49057bcf129d450d5ccaf9080d70882f2f99effbf799dc99058614f36386c7793701b68d7bcf49445266aeec4973191ea0964878c5a52697352658c0b31c8f18

  • memory/928-17-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/1608-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/1608-12-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/1676-16-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB