Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
30/09/2024, 05:10
General
-
Target
1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
-
Size
1.1MB
-
MD5
6519c7aa42263db95e7346ebbdebb274
-
SHA1
0bff4170d4eb65a947a6cf6eafe9bb7db2dde89c
-
SHA256
1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c
-
SHA512
09a1ba84d51d238acdf75f0f3453ed7c6d87ce87900a40a6cea2dd122e636dc146d4eb9f9fdb390b0b09bac66d4c8704a86edeb82df1c7c22562b196f7b8d0d6
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q1:CcaClSFlG4ZM7QzM+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe"C:\Users\Admin\AppData\Local\Temp\1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5534f4201cddb62ce45d79810519d3ad8
SHA1d88076f677e3c3baae2b6546f9b24f38f1e4f7be
SHA2568fac8e1981e12160526b6e87cd020993dcbd5b1134e43169b13f483e1fdc1f7b
SHA512eac5ad53497f3f402b12807edb8b9b3f07136bbd400dbe5fa22dedbdefeac347b00c0ab5e52956325e9075b7d22fc2cdd819ef01697caea598066b1ad4088de6
-
Filesize
1.1MB
MD57a0d53bff961e8d0e23793b13aa0d18a
SHA163552de8fb88cd51309af8cd1853b316e8a2e173
SHA25628f0d505fcdd66300915eeb7c26ad7f8b6117c4d26df4cdf136e87a3539ef921
SHA512d74c0aa45569239e68de766122212c97737ebbe466238dbec0038e9c128a2183cab3dc4c43218c748cf3d15d41edf4b09c2c7441c805a1f126b136ecbed6de80
-
Filesize
1.3MB