Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
Resource
win10v2004-20240802-en
General
-
Target
ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe
-
Size
1.1MB
-
MD5
8b7749318d787392fa03aef03729187c
-
SHA1
1d92d7d5df694e1a9c1cdeb014d409d71cd2adf2
-
SHA256
ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8
-
SHA512
dccdf4f52be724590b62cc0e28569c4b1f40cea76930da62c3d103a2d5036807984e7ac8010461bf5aed4b7f1876d07e3b835e43f15e7fa69184de57b5bb8c55
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qf:acallSllG4ZM7QzMo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 3004 svchcst.exe -
Executes dropped EXE 2 IoCs
pid Process 1476 svchcst.exe 3004 svchcst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 1476 svchcst.exe 1476 svchcst.exe 3004 svchcst.exe 3004 svchcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2824 wrote to memory of 704 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 86 PID 2824 wrote to memory of 704 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 86 PID 2824 wrote to memory of 704 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 86 PID 2824 wrote to memory of 880 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 87 PID 2824 wrote to memory of 880 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 87 PID 2824 wrote to memory of 880 2824 ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe 87 PID 704 wrote to memory of 3004 704 WScript.exe 95 PID 704 wrote to memory of 3004 704 WScript.exe 95 PID 704 wrote to memory of 3004 704 WScript.exe 95 PID 880 wrote to memory of 1476 880 WScript.exe 94 PID 880 wrote to memory of 1476 880 WScript.exe 94 PID 880 wrote to memory of 1476 880 WScript.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe"C:\Users\Admin\AppData\Local\Temp\ad14753bd99ca2c16558a7ecd91b5291cbf48e5b23b2b50596d24e7ad8d63cd8.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5c164161b5a2646282093528d7c8d1b98
SHA1fe659db4388c556dd9a193fdfe7e4388f79f30a7
SHA256bd5db84fdcc2a9cf9ba03048c8268be7756a8cd6d82d07150f465d7afcd72a16
SHA512f21330c51ee75f306668d8cbd214493392ed2d9f10e83344dfcb7514417982166fdd6f726ca615da174493a5573722a781097225b6b089d199e7cfa976843d57
-
Filesize
1.1MB
MD5632f3533b483a419318d7ef1f9372faa
SHA1a77907f91504d110e92115da4876fc39e40bca90
SHA256f591a728c0c813964d9b011aa43ebd941b4904e283086cea646b48e94e95289d
SHA512182a329c1ae8fbe88ace37a4a3631ecfc29471664074adcd6987d4544681d6da37fbdc676950bb0dd6f8aed3bf697eaf7a2cabd90441efafff8a24fb8c7030f5