Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29/08/2024, 17:17
General
-
Target
ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
-
Size
1.1MB
-
MD5
0eab3d1b3a7ab9cc829f12323dd4717e
-
SHA1
c3d0a6fce6809f85d2a45c670c27363f1f3e7f6c
-
SHA256
ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3
-
SHA512
2b1c7c76363f50ff3a1a4d2e956f79ac7eed522e8f5788e9aaf38015ee70335ff36ae80c74ae67cf8c0bf351e751b3a5de3555c64e513ca7e0c25df46467f709
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QZ:CcaClSFlG4ZM7QzMK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe"C:\Users\Admin\AppData\Local\Temp\ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD515613d0414840957e32a89a61a68ba0a
SHA110daae45315e97dfe1226541bf2e53cb7b187a10
SHA2561e6fbcb09368ff3bc5bed55830397ba99ce08be9eace5438289b826e370f1fa9
SHA51216457fb4d5fa3d015442b9d7ee26a51fa5f403d0d8810c78d0b5a0ecd12f86d5ea2d392952bb02b4b3a60586ed08e637849a82a5003570db2ab6f24afb54c4e6
-
Filesize
1.1MB
MD5afdbf4cc4a96e322bbf2e0150878c46b
SHA13fda34159bd80a3f636896e4a29c2f91aee72d5c
SHA2564a13b20aba4cf4f18961780a895d77134c73e2bbda711b8af3bd54f95aa0d383
SHA5126a5ee4b0e2dd87dfd7cb95958a49f65a538af2116806ba4d07572d37113c75bb9524dc894c8d3bc878054660991daa9ddb5738040b00978d6a0398a1ace3223a
-
Filesize
1.3MB