Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

bce94981e9...81.exe

windows7-x64

7

bce94981e9...81.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    113s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe

  • Size

    4.0MB

  • MD5

    55a2312d6062e5bac6c5f62a0ee42fa2

  • SHA1

    2271954571874366b20b329f202735959361a01c

  • SHA256

    bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481

  • SHA512

    f9ec8f21b68dcec5e9c8916e87a1395a84efbcac8aae67b0c8c171391ac301ea330d47fa352fdcf60db78a979e9e6c380a6ae9a526772878b5a46fc16d0c2ced

  • SSDEEP

    98304:ylxy6buzFyyqatrjLQsf10YsOR+iI5XEcP8e:cxmR4atrYsNdx3I5Xse

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe
    "C:\Users\Admin\AppData\Local\Temp\bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProviderWebSavesNet\KzpapvVcbVWl7x3kYPCfes0ojKXptfYw4GAjwTs.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProviderWebSavesNet\4m3MAufDe8UYuW2ydRhKZQEREfiJBHvyHq5AIcSjywzlT6BxOyJV1br81hHR.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\ProviderWebSavesNet\hostcrt.exe
          "C:\ProviderWebSavesNet/hostcrt.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZMRpkecEeL.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2544
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1508
                • C:\Users\Default User\RuntimeBroker.exe
                  "C:\Users\Default User\RuntimeBroker.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4236

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProviderWebSavesNet\4m3MAufDe8UYuW2ydRhKZQEREfiJBHvyHq5AIcSjywzlT6BxOyJV1br81hHR.bat
        Filesize

        82B

        MD5

        22b3050e40cced02d2a2149a4ff4c740

        SHA1

        bbf5353903fecf327fefed64ea5682aa62ae6d3b

        SHA256

        279a77eff83aead5bc84ae074b51e9d31b582822e581ad09b96901c52c8fad5c

        SHA512

        3d2ca66d370e10bc13dbcc84145cc11bd524853ffc9e493be7ac26a0dcfb7253dd76def55ca3de2b4c493be412287f49da9aa074cd3cc13c072e2d7f0ddac59c

        Download Submit

      • C:\ProviderWebSavesNet\KzpapvVcbVWl7x3kYPCfes0ojKXptfYw4GAjwTs.vbe
        Filesize

        257B

        MD5

        2da89fb4c9e3dbdb93495a409f2c4174

        SHA1

        d22186a88e8ebe609dad2ec8f0bb39df314114c7

        SHA256

        4e65e9df887312cfbf2cafc4a309eca1dc4204f2f87b9a6ed20d37eb94f15c9a

        SHA512

        5aa9f1d004c92c4b6ff7428cc24aaaeb5f04e668657904dd123dd1ca129c6b81c37d5efa7aa746aec52db56417da8038001ebf229ef5e2e61e12423b3b45b6b1

        Download Submit

      • C:\ProviderWebSavesNet\hostcrt.exe
        Filesize

        3.7MB

        MD5

        88340879f7b502b0eee8f6147cdc70eb

        SHA1

        1510660a130fdcb57e2dcad37c16cf1a966126d8

        SHA256

        bcefedada15b81b6470d80824651dac64d52a568b459b6c1ade8d0dcddcf2f05

        SHA512

        d3518eb922315743bf16624e256a6bcc4b930723786cf34ccb40afb901c2ede1a19c0acdb21ee4c5bbda6541a2b229c16a8ad66e861230e46634f30b8d3db3ed

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ZMRpkecEeL.bat
        Filesize

        215B

        MD5

        363d4547902d8f5d3f822d9d9e5debc9

        SHA1

        59edec73174b756c81cbbed13bb43e58112257ad

        SHA256

        ae8123e8c4f40e22187ca701963508592ed5997b1e5acb64e359a8cb5d9f6e67

        SHA512

        a70e51c22e8708cd74e09ae891db7d1633f0671418712267b0e9b235a373c643ade824362dc3309a1c3f53c4ee8f4b2706a3d78c92e3c452d5e4f5502b08bd4c

        Download Submit

      • memory/3124-36-0x000000001BD70000-0x000000001BD82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3124-42-0x000000001D180000-0x000000001D196000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3124-17-0x0000000001970000-0x000000000197E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3124-19-0x00000000019A0000-0x00000000019BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3124-20-0x000000001BD00000-0x000000001BD50000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3124-22-0x0000000001980000-0x0000000001990000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-24-0x00000000033E0000-0x00000000033F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3124-26-0x0000000001990000-0x00000000019A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-28-0x00000000019D0000-0x00000000019E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-30-0x00000000033C0000-0x00000000033CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3124-32-0x00000000033D0000-0x00000000033DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3124-34-0x0000000003400000-0x000000000340E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3124-13-0x0000000000D70000-0x000000000112A000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3124-38-0x0000000003410000-0x000000000341C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3124-40-0x000000001BD50000-0x000000001BD60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-15-0x0000000001D80000-0x0000000001DA6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3124-44-0x000000001D1A0000-0x000000001D1B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3124-45-0x000000001D6F0000-0x000000001DC18000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3124-47-0x000000001BD60000-0x000000001BD6E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3124-49-0x000000001BD90000-0x000000001BD9C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3124-51-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3124-53-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-55-0x000000001D1C0000-0x000000001D1D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-57-0x000000001D230000-0x000000001D28A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/3124-59-0x000000001D1D0000-0x000000001D1DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3124-61-0x000000001D1E0000-0x000000001D1F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3124-63-0x000000001D1F0000-0x000000001D1FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3124-65-0x000000001D490000-0x000000001D4A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3124-67-0x000000001D200000-0x000000001D20C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3124-69-0x000000001D500000-0x000000001D54E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3124-12-0x00007FFDAE473000-0x00007FFDAE475000-memory.dmp

        Filesize

        8KB

        Download