Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 00:08

General

  • Target

    e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe

  • Size

    1.1MB

  • MD5

    817ded36ac83df717fca28eb5389a9e1

  • SHA1

    acca237258df7f7442ff3d9e759913ea83edbaa0

  • SHA256

    e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b

  • SHA512

    2ddbd81c633d9d6fb24a75ea0c32a74eec5c4049ddb29c2c032b2b1392e4a7917a5afc672811bd7702803c44fa68c971e57ca3ab4538bc71ebb90e148e3fe252

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzMs

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
    "C:\Users\Admin\AppData\Local\Temp\e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3064
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    4de8808b265f28a10c0730201a9fc60a

    SHA1

    01cc97676387be73d60c2ec81d5f04020e2c7da5

    SHA256

    c8b7287f6c65be8ce70cbb2ca5a047dd8553e12377135d2e588ca9866ccb1f41

    SHA512

    e81e15d754a774d203daab288093562c04bee0fa425e8617944e705bd65b6a32ddc3da21a4bb32b424e38af9770124d8d26504eb5c6f5db8aaf2a7a342756a68

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    6d7b44c632d42ea636759814d39daf30

    SHA1

    026bf516a0ed62ae2ad30509ed6e00bdf608fd5f

    SHA256

    f5fef07c8327b92a3f1fd1cb6bd2e760c882aaff343ea06cb42c0539441f2f40

    SHA512

    1f384a4dba4144d14682948ac89dc458f49a95ad8908ae705d1266c0c4f45e90c5b059f257108b030f5a0faa712e6cf1346249b2999cb0142308357808e8a8ab

  • memory/1684-10-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB