Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 04:08

General

  • Target

    8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe

  • Size

    1.1MB

  • MD5

    2a512b481d90e0062bb8d0bc1984bb97

  • SHA1

    05732e7340d6dfe9ae849461c421c3b77cab4a3e

  • SHA256

    8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704

  • SHA512

    861dd67a9f0e49be56dd20ac171eea4bc2db51496fc4effcc1615eecb679c9941541e6dce6eb87217bef7350458f6d0d9d9525321e2efbba743e07b030f279ef

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzM7

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
    "C:\Users\Admin\AppData\Local\Temp\8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1848
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4884
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1996,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
    1⤵
      PID:4976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      753B

      MD5

      6162452c04578107708bdaa4632213fc

      SHA1

      3187bd92101f0aa851d01bd1ea7f546011f52d91

      SHA256

      63461b9f0405c2243888d5e42ac093497bb200805b7491601f295e26e832aed4

      SHA512

      12012e06aed2e96c1a120f193bf865c8412f3d3400622afab447d5371f699c3c37b36c4201265ffff5c6b6ba8ac294b0cc2c6a73ea585dad0f238820ca93b70c

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      d24ce5a5e991d671664bc7d87fadce20

      SHA1

      1f66e82d22e1300e86954a1bfb34ba417981d98c

      SHA256

      b0fea46ed9dd08254f1b1ae663f7e0bb43ef0af69c749a17c2b72e8e66c2b8d1

      SHA512

      0444024693827d3576aaf97e4290004a8c00c151de7e76ec8f85f9e033156ae5af017e43f2bc9eb725c11f37bd175a432c384028372874d9f983bad57a8ac3e8

    • memory/1848-15-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/1848-16-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4884-17-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4948-0-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/4948-11-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB