Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 07:04

General

  • Target

    94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe

  • Size

    1.1MB

  • MD5

    9cb2e24f881a465caa69b86f8e0c77b1

  • SHA1

    afe16b2327a4cd552d5969da5758193c377c5a16

  • SHA256

    94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86

  • SHA512

    f4fd3263b48f7447f9026e1cb22b6d4f836741405dd5e3be1c5ddcaa9c6733ef2433595617038e8a47db50b9b7a57be50ced41f6fe8badb45217a5c6fd8c44c2

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q6:acallSllG4ZM7QzM5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
    "C:\Users\Admin\AppData\Local\Temp\94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2596
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3012
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
    1⤵
      PID:4080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

      Filesize

      753B

      MD5

      2db248f04fbbbbb2b2f4832fde2d38b4

      SHA1

      1ca15ce47b395627bba5189f9249193c6802cfef

      SHA256

      73648b1363f07d09ea723f40ed4c5a5e8c52ccafddbc27a631f6707e16bf32db

      SHA512

      aae35b13f9c3e67f9c0da2ffa0a7ab0cfd94085e6181192a8fe56a3f35845e76ef287ad8dd1658266d9a79621e66295d5b75bda57a0a5fc306585f1b95b9d50d

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

      Filesize

      1.1MB

      MD5

      ec8158a0b538aff34a4ff4da880d8a7a

      SHA1

      4a5f51cbb5cf0849e53456aa0af3983eda286b3d

      SHA256

      32373ba804da6e88b438683d4242f68d1f79dad06624ee09e77c03c3b7bf5604

      SHA512

      c9a870966c0f9b7d1884d584ed7a7d1e32bdb267496d53a073715e69446973d137e20edcf8d4aefa58aa741bf4e70ea4b13543098d6e194be90cddb4ee373405

    • memory/2596-15-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/2596-19-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/3012-17-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/3012-18-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/3360-0-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB

    • memory/3360-12-0x0000000000400000-0x000000000055F000-memory.dmp

      Filesize

      1.4MB