Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
318s -
max time network
506s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2022, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
VengefulLeather.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
VengefulLeather.msi
Resource
win10v2004-20220812-en
General
-
Target
VengefulLeather.msi
-
Size
267.0MB
-
MD5
e487592d43f5ca2045a3ac4e635cd5e1
-
SHA1
06523feddb2be5089e154bdfe570e1cef2ad00d3
-
SHA256
a43fe5ebc7bb94b76b3031efb7f4e6cb3932066683ea55a214e6ae3e00b2822e
-
SHA512
5c08d9063c79cbf7efcdb83642a19b8dc4a8d905ca5279d19e8a1065d75e725789fc53fbd26480ea583eb374779d5256e2ca644419463b81d7fa3b3af7617405
-
SSDEEP
196608:OZCjrKC82BT3tT4j9mcMMkxbgWw6Zi5sS:OkjT82Bztkj4cMMWgi
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 4476 MsiExec.exe 4476 MsiExec.exe 4476 MsiExec.exe 4476 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e5682c1.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI935C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{F7227026-634A-41FF-A42B-E7297A5AD438} msiexec.exe File opened for modification C:\Windows\Installer\MSI9AC0.tmp msiexec.exe File created C:\Windows\Installer\e5682c1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9010.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9B5D.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4608 msiexec.exe 4608 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 1708 msiexec.exe Token: SeIncreaseQuotaPrivilege 1708 msiexec.exe Token: SeSecurityPrivilege 4608 msiexec.exe Token: SeCreateTokenPrivilege 1708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1708 msiexec.exe Token: SeLockMemoryPrivilege 1708 msiexec.exe Token: SeIncreaseQuotaPrivilege 1708 msiexec.exe Token: SeMachineAccountPrivilege 1708 msiexec.exe Token: SeTcbPrivilege 1708 msiexec.exe Token: SeSecurityPrivilege 1708 msiexec.exe Token: SeTakeOwnershipPrivilege 1708 msiexec.exe Token: SeLoadDriverPrivilege 1708 msiexec.exe Token: SeSystemProfilePrivilege 1708 msiexec.exe Token: SeSystemtimePrivilege 1708 msiexec.exe Token: SeProfSingleProcessPrivilege 1708 msiexec.exe Token: SeIncBasePriorityPrivilege 1708 msiexec.exe Token: SeCreatePagefilePrivilege 1708 msiexec.exe Token: SeCreatePermanentPrivilege 1708 msiexec.exe Token: SeBackupPrivilege 1708 msiexec.exe Token: SeRestorePrivilege 1708 msiexec.exe Token: SeShutdownPrivilege 1708 msiexec.exe Token: SeDebugPrivilege 1708 msiexec.exe Token: SeAuditPrivilege 1708 msiexec.exe Token: SeSystemEnvironmentPrivilege 1708 msiexec.exe Token: SeChangeNotifyPrivilege 1708 msiexec.exe Token: SeRemoteShutdownPrivilege 1708 msiexec.exe Token: SeUndockPrivilege 1708 msiexec.exe Token: SeSyncAgentPrivilege 1708 msiexec.exe Token: SeEnableDelegationPrivilege 1708 msiexec.exe Token: SeManageVolumePrivilege 1708 msiexec.exe Token: SeImpersonatePrivilege 1708 msiexec.exe Token: SeCreateGlobalPrivilege 1708 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe Token: SeRestorePrivilege 4608 msiexec.exe Token: SeTakeOwnershipPrivilege 4608 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1708 msiexec.exe 1708 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4476 MsiExec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4608 wrote to memory of 4476 4608 msiexec.exe 81 PID 4608 wrote to memory of 4476 4608 msiexec.exe 81 PID 4608 wrote to memory of 4476 4608 msiexec.exe 81
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VengefulLeather.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1708
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E730B0A308EF63AE506671D8299C15AE2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4476
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD59f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
Filesize
91KB
MD59f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
Filesize
91KB
MD59f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
Filesize
91KB
MD59f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
Filesize
264.6MB
MD5afddffa061874d57c30657ca8bfecba5
SHA1c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc
SHA25672276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b
SHA51240417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203
-
Filesize
264.6MB
MD5afddffa061874d57c30657ca8bfecba5
SHA1c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc
SHA25672276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b
SHA51240417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203
-
Filesize
264.6MB
MD5afddffa061874d57c30657ca8bfecba5
SHA1c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc
SHA25672276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b
SHA51240417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203