Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 22:34
Static task
static1
Behavioral task
behavioral1
Sample
e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
Resource
win10v2004-20240802-en
General
-
Target
e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
-
Size
1.1MB
-
MD5
87745f72b277da3d73e59060ab58a56a
-
SHA1
ed249b08ecca92169511f946210307ab170226b1
-
SHA256
e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb
-
SHA512
c99e2f7907ad2f876a06adcfa2a5e27bbaf2e668586ee80269b714d2fd3f3e43cb5a28b521a6cd39457fb635f7d02250235111b56ebf3df5b877bffc65dd30dd
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QU:acallSllG4ZM7QzMT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 928 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 928 svchcst.exe 1676 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe 928 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 928 svchcst.exe 928 svchcst.exe 1676 svchcst.exe 1676 svchcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1608 wrote to memory of 1512 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 86 PID 1608 wrote to memory of 1512 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 86 PID 1608 wrote to memory of 1512 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 86 PID 1608 wrote to memory of 3296 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 87 PID 1608 wrote to memory of 3296 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 87 PID 1608 wrote to memory of 3296 1608 e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe 87 PID 1512 wrote to memory of 928 1512 WScript.exe 94 PID 1512 wrote to memory of 928 1512 WScript.exe 94 PID 1512 wrote to memory of 928 1512 WScript.exe 94 PID 3296 wrote to memory of 1676 3296 WScript.exe 95 PID 3296 wrote to memory of 1676 3296 WScript.exe 95 PID 3296 wrote to memory of 1676 3296 WScript.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe"C:\Users\Admin\AppData\Local\Temp\e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:928
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD548584fd7766a030c8d37b0d7a57ad6fd
SHA1b5cf5856d9b1816a191301ff2051e467dc0589fc
SHA2564fe422f4a15e912533211453c3c02b46167e3a9f20bfaa524b6938c18450667f
SHA5122e3fcc10495adbf5e6183284a40c38185d466669f00cb95fefa48096e99a5d443dd91693370b005886d4c20984134bc316cac036642a247673b491b7d7bb6381
-
Filesize
1.1MB
MD54f41ef584f6d9594a37e70aec33fd152
SHA19ed67f67385a01d71c0bdd2a7c126a63a27def50
SHA256b906e5eee12a7d17d68f7bf2008d9dce3bdbc79eb19288d161e6c5c2467a1aa4
SHA51249057bcf129d450d5ccaf9080d70882f2f99effbf799dc99058614f36386c7793701b68d7bcf49445266aeec4973191ea0964878c5a52697352658c0b31c8f18