Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

0f21d1be27...92.msi

windows7-x64

8

0f21d1be27...92.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    79s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2022, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592.msi

  • Size

    107.1MB

  • MD5

    608b4ff0db79baf5ca8bbaf57ec7af31

  • SHA1

    c0c35f1d18172a5cbebb92387fd505f6509a095a

  • SHA256

    0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592

  • SHA512

    49b6013ed5697ff95f3dbd43d55822cbe77ae633ffc0579d92a351103ee41b8f04883bb226391ea7357637b5cd4464d40f320265184d13327bc965f12ad8c549

  • SSDEEP

    3145728:6FEp1cAjJNOCsXvY27nm0LT419R/pt8OBp4e0/QN:n7FfknLdTC9R/piq0

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0f21d1be273c71a066d1a66189bf0082394de92c830cfaa7bbbe4370e1cb9592.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1800
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E63C1A4F56230012BD4A33E0B0C19D54
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss60FF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi60DD.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr60ED.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr60EE.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_BF078D10C8803A26975CCE57E07C78A2
    Filesize

    1KB

    MD5

    c755915996db22bfd7d24ddee962bb20

    SHA1

    c8b0bdf83005e653fb0fccc4ff30ae75a1ba5b2e

    SHA256

    b2d762b026844472d8b2f1d89d56a93808fc6fc9aec8de6ce36fcce0b62017c2

    SHA512

    9c525b6ce36fcf5adaaa7c31a5fc13f7d098fbcc1097df96a186669f5e646c5f88e0da981035850861baa5c8d84f03c31401867b2b15ab7c750a7271e8eb4058

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
    Filesize

    1KB

    MD5

    2a30cb176c557808bb64665f58821746

    SHA1

    f75cf1d2fe25e9bb3da559d35e8646a9ebd62cef

    SHA256

    8d48d59acb766f576f1b582cfec5df11b9e1d85c18e5281caafeebeb712e6cc7

    SHA512

    5f5e91b37ccd6b3a4b781c1143bc73b81d022a2406112ac8f1573f0e0c9e86d848429564df80433d69f1989c25993116f12020b265d8278a8aa54b77acacf62b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_BF078D10C8803A26975CCE57E07C78A2
    Filesize

    544B

    MD5

    dd4efc083e16961d4c71971ac7da94b1

    SHA1

    94640d2f28784a076a30d6be2b26cf9490b184e6

    SHA256

    4dfe3e814e4fccdd9f2a23ab1b0d16f48b5ef1eb37b3d1807a84039acaa35d22

    SHA512

    3b23107700ab96ccb6cdac2ad05edf1baf4782160c4a0eae85f72df790998b0a4433f0e4d34e7b58ac1a6025bcb35e184fd5b2abe60f60d0f44d6e15e05d7c42

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
    Filesize

    536B

    MD5

    57ec9b4fa434457645d75e99cae7e6a5

    SHA1

    d272f2f0ffaab504ca3ce3047460cafafa69563c

    SHA256

    6460e77276a92647ebdddc479ca88f22af8d6abedaf5de7593a63599dde1deb3

    SHA512

    29312e88e23f78df25c9ae20bfc00d7c64151e23991f2e6aeb453cbd0a9495a4dc52baa8f16f3f7992990564b6a89d3fb9cbeedfd13338a150a6ef11fe8ce36b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pss60FF.ps1
    Filesize

    5KB

    MD5

    8f69da7a9f4b3c2d0f423583b262ed49

    SHA1

    b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

    SHA256

    dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

    SHA512

    71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\scr60ED.ps1
    Filesize

    916B

    MD5

    9cc0e053f9cb7fe7316ab4ac0f54b860

    SHA1

    27567b88e0d64fe00d7824e1d1f3a5f985b44f80

    SHA256

    11ef5da36a51f1546992b9c1ba34a5075cb22d468c81308c040dbc4fa2046f58

    SHA512

    59940809a75d083794da8d76e4ed74832198822c70d40c8f6544e75614ea68ca719087943d5c93e1ab61eeb628087ea87b776ca6590d97149edc2b7c26dbf9fc

    Download Submit

  • C:\Windows\Installer\MSI3846.tmp
    Filesize

    268KB

    MD5

    b862a8faa3bdfd0dc181010c58460340

    SHA1

    855626e83f2f2364ce663ef280e2479d10963d0f

    SHA256

    4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

    SHA512

    b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

    Download Submit

  • C:\Windows\Installer\MSI3846.tmp
    Filesize

    268KB

    MD5

    b862a8faa3bdfd0dc181010c58460340

    SHA1

    855626e83f2f2364ce663ef280e2479d10963d0f

    SHA256

    4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

    SHA512

    b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

    Download Submit

  • C:\Windows\Installer\MSI6091.tmp
    Filesize

    670KB

    MD5

    846afe3ed676561d5f2cb293177f6c03

    SHA1

    bd31e948dca976ab54f8a01b87cbd6920659dc92

    SHA256

    d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

    SHA512

    e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

    Download Submit

  • C:\Windows\Installer\MSI6091.tmp
    Filesize

    670KB

    MD5

    846afe3ed676561d5f2cb293177f6c03

    SHA1

    bd31e948dca976ab54f8a01b87cbd6920659dc92

    SHA256

    d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

    SHA512

    e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    05f29fb1aa576fad28694f25dc36f4bd

    SHA1

    15ce4446dfbfb33b095a67e03176336c655e3928

    SHA256

    0abcfbad0a0457651434a95b696be92aa16e098d4b70a5e3ddff483f1ee7b349

    SHA512

    7fed819d207774c86b6c5567f82bdad80713503e1327fd6210171e875157c418275dc4193f309968362338d17462d754177c669627c5fe3fb947315dea32ba7e

    Download Submit

  • \??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ce83cae3-21df-4009-a371-04575bb0ab1f}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    4362b397e2119e3059531759dad04c3d

    SHA1

    47e9c818d9dd7613bc1e8d21b321ee0eabe87195

    SHA256

    c3f2db39ad99f13032e60d3df7f68af9925bbea043aefa37d2d22fccb774070d

    SHA512

    b999eca14ac95d90bb0a31af71ceedef857defa2fa3d9cd388badce77b9bbf918943fa88679e176fd6248a072eb3ae12a51ac02145cb7ea6c19192ec43fcf545

    Download Submit

  • memory/3380-149-0x0000000005D00000-0x0000000005D66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3380-147-0x0000000005380000-0x00000000053A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3380-148-0x0000000005BA0000-0x0000000005C06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3380-150-0x00000000063A0000-0x00000000063BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3380-146-0x0000000005400000-0x0000000005A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3380-152-0x0000000007390000-0x0000000007426000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3380-153-0x00000000068D0000-0x00000000068EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3380-154-0x0000000006930000-0x0000000006952000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3380-155-0x0000000007A30000-0x0000000007FD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3380-156-0x0000000008660000-0x0000000008CDA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3380-145-0x0000000004D90000-0x0000000004DC6000-memory.dmp

    Filesize

    216KB

    Download