Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

Setup_File...21.exe

windows7_x64

8

Setup_File...21.exe

windows10_x64

1

Analysis

  • max time kernel
    129s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    06/07/2021, 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup_File_Magic_2021.exe

  • Size

    1.2MB

  • MD5

    8f2c8356efa99b8b91b11741f6834602

  • SHA1

    c2a4bb8ef0c785e14e624f0a27045803c9aeb03b

  • SHA256

    99842928d56ef4c03fa17ec47538b1527d25d4b4644e157628475426cdb7acde

  • SHA512

    333bca23e0fe61d2b35bfb383bfaf9aa6582e58b18365c395eeaa90b00482ad13ebf09039e6f9c9dc9e82e13bb4d16991a23a5b477b24f7359403dec808ed421

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 53 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup_File_Magic_2021.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup_File_Magic_2021.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\{B6ED5377-2F07-49E1-8B2B-C2825CF33391}\FileMagic-S-1.9.8.19.exe
      "C:\Users\Admin\AppData\Local\Temp\{B6ED5377-2F07-49E1-8B2B-C2825CF33391}\FileMagic-S-1.9.8.19.exe" /verysilent /norestart /LANG en-us
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Local\Temp\is-N50HJ.tmp\FileMagic-S-1.9.8.19.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-N50HJ.tmp\FileMagic-S-1.9.8.19.tmp" /SL5="$20182,60285589,131584,C:\Users\Admin\AppData\Local\Temp\{B6ED5377-2F07-49E1-8B2B-C2825CF33391}\FileMagic-S-1.9.8.19.exe" /verysilent /norestart /LANG en-us
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.solvusoft.com/en-us/file-magic/install/?utm_source=file-magic&utm_campaign=version_1.9.8.19_06042019&utm_medium=file-magic-standalone
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:844
        • C:\Program Files\File Magic\FileMagic.exe
          "C:\Program Files\File Magic\FileMagic.exe" /restartWithNoAdminRights lang=en-us
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe" C:\Program Files\File Magic\FileMagic.exe
            5⤵
              PID:2616
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Program Files\File Magic\FileMagic.exe
        "C:\Program Files\File Magic\FileMagic.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2732

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1160-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1664-68-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1816-89-0x0000000000530000-0x000000000056E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1816-129-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1816-127-0x0000000004830000-0x0000000004831000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-142-0x0000000005F10000-0x0000000005F11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-143-0x0000000004AC0000-0x0000000004AC3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1816-106-0x0000000000660000-0x0000000000661000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-100-0x0000000006050000-0x0000000006051000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-145-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-90-0x00000000022D0000-0x00000000022D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-133-0x0000000006E20000-0x0000000006E21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-86-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1816-94-0x0000000005060000-0x0000000005061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2616-148-0x00000000725A1000-0x00000000725A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2676-149-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2732-157-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-152-0x0000000000190000-0x0000000000191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-160-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-161-0x0000000000690000-0x0000000000691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-163-0x0000000004A10000-0x0000000004A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-164-0x0000000005370000-0x0000000005371000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-167-0x0000000006C30000-0x0000000006C31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-168-0x0000000004A50000-0x0000000004A51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-172-0x00000000072F0000-0x00000000072F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-174-0x000000000F970000-0x000000000F971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-175-0x0000000016B50000-0x0000000016B51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-177-0x0000000004A15000-0x0000000004A26000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2732-176-0x0000000007010000-0x0000000007019000-memory.dmp

      Filesize

      36KB

      Download