Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
Resource
win10v2004-20240802-en
General
-
Target
ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
-
Size
1.1MB
-
MD5
0eab3d1b3a7ab9cc829f12323dd4717e
-
SHA1
c3d0a6fce6809f85d2a45c670c27363f1f3e7f6c
-
SHA256
ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3
-
SHA512
2b1c7c76363f50ff3a1a4d2e956f79ac7eed522e8f5788e9aaf38015ee70335ff36ae80c74ae67cf8c0bf351e751b3a5de3555c64e513ca7e0c25df46467f709
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QZ:CcaClSFlG4ZM7QzMK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 64 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 64 svchcst.exe 2524 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe 64 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 64 svchcst.exe 2524 svchcst.exe 64 svchcst.exe 2524 svchcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2924 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 88 PID 2676 wrote to memory of 2924 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 88 PID 2676 wrote to memory of 2924 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 88 PID 2676 wrote to memory of 2124 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 87 PID 2676 wrote to memory of 2124 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 87 PID 2676 wrote to memory of 2124 2676 ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe 87 PID 2924 wrote to memory of 64 2924 WScript.exe 95 PID 2924 wrote to memory of 64 2924 WScript.exe 95 PID 2924 wrote to memory of 64 2924 WScript.exe 95 PID 2124 wrote to memory of 2524 2124 WScript.exe 94 PID 2124 wrote to memory of 2524 2124 WScript.exe 94 PID 2124 wrote to memory of 2524 2124 WScript.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe"C:\Users\Admin\AppData\Local\Temp\ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:64
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD515613d0414840957e32a89a61a68ba0a
SHA110daae45315e97dfe1226541bf2e53cb7b187a10
SHA2561e6fbcb09368ff3bc5bed55830397ba99ce08be9eace5438289b826e370f1fa9
SHA51216457fb4d5fa3d015442b9d7ee26a51fa5f403d0d8810c78d0b5a0ecd12f86d5ea2d392952bb02b4b3a60586ed08e637849a82a5003570db2ab6f24afb54c4e6
-
Filesize
1.1MB
MD5afdbf4cc4a96e322bbf2e0150878c46b
SHA13fda34159bd80a3f636896e4a29c2f91aee72d5c
SHA2564a13b20aba4cf4f18961780a895d77134c73e2bbda711b8af3bd54f95aa0d383
SHA5126a5ee4b0e2dd87dfd7cb95958a49f65a538af2116806ba4d07572d37113c75bb9524dc894c8d3bc878054660991daa9ddb5738040b00978d6a0398a1ace3223a