Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe
Resource
win10v2004-20240802-en
General
-
Target
bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe
-
Size
4.0MB
-
MD5
55a2312d6062e5bac6c5f62a0ee42fa2
-
SHA1
2271954571874366b20b329f202735959361a01c
-
SHA256
bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481
-
SHA512
f9ec8f21b68dcec5e9c8916e87a1395a84efbcac8aae67b0c8c171391ac301ea330d47fa352fdcf60db78a979e9e6c380a6ae9a526772878b5a46fc16d0c2ced
-
SSDEEP
98304:ylxy6buzFyyqatrjLQsf10YsOR+iI5XEcP8e:cxmR4atrYsNdx3I5Xse
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation hostcrt.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe -
Executes dropped EXE 2 IoCs
pid Process 3124 hostcrt.exe 4236 RuntimeBroker.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Media Player\uk-UA\upfc.exe hostcrt.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\ea1d8f6d871115 hostcrt.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CbsTemp\explorer.exe hostcrt.exe File created C:\Windows\CbsTemp\7a0fd90576e088 hostcrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings hostcrt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe 3124 hostcrt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3124 hostcrt.exe Token: SeDebugPrivilege 4236 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3704 wrote to memory of 3780 3704 bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe 85 PID 3704 wrote to memory of 3780 3704 bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe 85 PID 3704 wrote to memory of 3780 3704 bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe 85 PID 3780 wrote to memory of 4964 3780 WScript.exe 92 PID 3780 wrote to memory of 4964 3780 WScript.exe 92 PID 3780 wrote to memory of 4964 3780 WScript.exe 92 PID 4964 wrote to memory of 3124 4964 cmd.exe 94 PID 4964 wrote to memory of 3124 4964 cmd.exe 94 PID 3124 wrote to memory of 2640 3124 hostcrt.exe 96 PID 3124 wrote to memory of 2640 3124 hostcrt.exe 96 PID 2640 wrote to memory of 2544 2640 cmd.exe 99 PID 2640 wrote to memory of 2544 2640 cmd.exe 99 PID 2640 wrote to memory of 1508 2640 cmd.exe 100 PID 2640 wrote to memory of 1508 2640 cmd.exe 100 PID 2640 wrote to memory of 4236 2640 cmd.exe 101 PID 2640 wrote to memory of 4236 2640 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe"C:\Users\Admin\AppData\Local\Temp\bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProviderWebSavesNet\KzpapvVcbVWl7x3kYPCfes0ojKXptfYw4GAjwTs.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProviderWebSavesNet\4m3MAufDe8UYuW2ydRhKZQEREfiJBHvyHq5AIcSjywzlT6BxOyJV1br81hHR.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\ProviderWebSavesNet\hostcrt.exe"C:\ProviderWebSavesNet/hostcrt.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZMRpkecEeL.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2544
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1508
-
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82B
MD522b3050e40cced02d2a2149a4ff4c740
SHA1bbf5353903fecf327fefed64ea5682aa62ae6d3b
SHA256279a77eff83aead5bc84ae074b51e9d31b582822e581ad09b96901c52c8fad5c
SHA5123d2ca66d370e10bc13dbcc84145cc11bd524853ffc9e493be7ac26a0dcfb7253dd76def55ca3de2b4c493be412287f49da9aa074cd3cc13c072e2d7f0ddac59c
-
Filesize
257B
MD52da89fb4c9e3dbdb93495a409f2c4174
SHA1d22186a88e8ebe609dad2ec8f0bb39df314114c7
SHA2564e65e9df887312cfbf2cafc4a309eca1dc4204f2f87b9a6ed20d37eb94f15c9a
SHA5125aa9f1d004c92c4b6ff7428cc24aaaeb5f04e668657904dd123dd1ca129c6b81c37d5efa7aa746aec52db56417da8038001ebf229ef5e2e61e12423b3b45b6b1
-
Filesize
3.7MB
MD588340879f7b502b0eee8f6147cdc70eb
SHA11510660a130fdcb57e2dcad37c16cf1a966126d8
SHA256bcefedada15b81b6470d80824651dac64d52a568b459b6c1ade8d0dcddcf2f05
SHA512d3518eb922315743bf16624e256a6bcc4b930723786cf34ccb40afb901c2ede1a19c0acdb21ee4c5bbda6541a2b229c16a8ad66e861230e46634f30b8d3db3ed
-
Filesize
215B
MD5363d4547902d8f5d3f822d9d9e5debc9
SHA159edec73174b756c81cbbed13bb43e58112257ad
SHA256ae8123e8c4f40e22187ca701963508592ed5997b1e5acb64e359a8cb5d9f6e67
SHA512a70e51c22e8708cd74e09ae891db7d1633f0671418712267b0e9b235a373c643ade824362dc3309a1c3f53c4ee8f4b2706a3d78c92e3c452d5e4f5502b08bd4c