Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3bd813b5ee...5c.msi

windows7-x64

8

3bd813b5ee...5c.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2022, 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c.msi

  • Size

    108.2MB

  • MD5

    092cb4f416ab6b65bd04798070a73310

  • SHA1

    58e6de1202d2ec4991a94636fc9dd86099363e34

  • SHA256

    3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c

  • SHA512

    b608105fa87aef1cad2bbb1231511a5af6c94f74924258174d1127f5fce9b6937905ff79a777cc1cb55fe4093c5993f53bcf2fc6a1118fd44aa50756f7ea0d4b

  • SSDEEP

    3145728:VFEp1cAjJNOCsXvY27nm0LT419R/pt8OBp4e0/QNou:K7FfknLdTC9R/piq0

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3bd813b5eef1dcf7c07c0c11985f134f507be766c0e60e7d5f9129b6356a415c.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2484
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3424
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B24331B647E7C79712446004A03884E9
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssE0C9.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiE0C6.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrE0C7.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrE0C8.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5
    Filesize

    1KB

    MD5

    840032549ad516d6724e04f6886e3d9f

    SHA1

    26131af5698f74c0009e292436c75598701be23e

    SHA256

    357e9e282a7c0831f9e6d6cb93b3952c69c2f9cffd1fcb98378f5818336afd7e

    SHA512

    192a71bac1872248ed0084b959cc2b4ed292d14806306e00b3713fdf4a39245a2680e04819b3e281fabfb0747792b54afbcb2b7d2028987d3033141bd0c6b4da

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_8ABAEC9182C56FA0B29963ED675C25A2
    Filesize

    2KB

    MD5

    a1fb7344c08fc10de56362e86efd50f2

    SHA1

    9d1acb607a4d660a21e4f2259eaebdab6bed335c

    SHA256

    9a484214016a7c8d9cd357921644ab6acb70b1df719b8c10c2a720c6a2224885

    SHA512

    8bc5dff17feecb3f674e60fe1989bc2a222c0c1cf27c06c77c16d49925ccf02402c1c2021126233a15b1789c9671e400bf45a8158064705370f0bfe91dbc7fb1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5
    Filesize

    412B

    MD5

    5f4870b733961615252e6bf8fefa31d1

    SHA1

    c46e4537177a8492f4d1020b2a953149db6aec71

    SHA256

    fdc8df0485d3cbcde88b7ba1d47d793d157fc7b048faa523b0c306f284cd1f3d

    SHA512

    0c251f530b7b672f376f08f65b8b22824c8d3ed689d3f472f9a433abbc601dd6093cb12bb422dc35a4b6d5a185bd34fdb6193df420def445aa01bdf1d66d6ba7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_8ABAEC9182C56FA0B29963ED675C25A2
    Filesize

    428B

    MD5

    1fb5c6afee946d51b42de5d935542d1f

    SHA1

    a6d80b50bceffa5877da4ec6a8baf6c24ac3cbca

    SHA256

    a381e17b3a6c5d7cd8cba9e2a7e9e6ce10f3863ad08c881ec154510763561ff2

    SHA512

    7506f3338b2890a0a31a3e7518a99cdbc58e4eea9e78ae0951ce9882aee83cfcc1636bd5bb0ac7963d388efaabfdc96b9bb695db8a8e6b9d8176a051c559dfc6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pssE0C9.ps1
    Filesize

    5KB

    MD5

    8f69da7a9f4b3c2d0f423583b262ed49

    SHA1

    b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

    SHA256

    dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

    SHA512

    71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\scrE0C7.ps1
    Filesize

    938B

    MD5

    150fcd3b26ad73ca622f31a76539e203

    SHA1

    baae826e08e91e8ea8a8490b1da288dad5059216

    SHA256

    2800f26315cb87bb348ba6c80965ac991199e11b14011136d90dbeaea754f606

    SHA512

    02e66adac47773c49a5ede1ab5c74bb96722bbc48015bdfd3334ba0a1324ed7de7d5b911508dbcd6d69749d27a83e90ce980fb7dc59eba27de0cf368ca209859

    Download Submit

  • C:\Windows\Installer\MSIBBD9.tmp
    Filesize

    268KB

    MD5

    b862a8faa3bdfd0dc181010c58460340

    SHA1

    855626e83f2f2364ce663ef280e2479d10963d0f

    SHA256

    4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

    SHA512

    b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

    Download Submit

  • C:\Windows\Installer\MSIBBD9.tmp
    Filesize

    268KB

    MD5

    b862a8faa3bdfd0dc181010c58460340

    SHA1

    855626e83f2f2364ce663ef280e2479d10963d0f

    SHA256

    4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

    SHA512

    b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

    Download Submit

  • C:\Windows\Installer\MSIE0A9.tmp
    Filesize

    670KB

    MD5

    846afe3ed676561d5f2cb293177f6c03

    SHA1

    bd31e948dca976ab54f8a01b87cbd6920659dc92

    SHA256

    d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

    SHA512

    e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

    Download Submit

  • C:\Windows\Installer\MSIE0A9.tmp
    Filesize

    670KB

    MD5

    846afe3ed676561d5f2cb293177f6c03

    SHA1

    bd31e948dca976ab54f8a01b87cbd6920659dc92

    SHA256

    d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

    SHA512

    e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    249c4b58f8f9bb7027f8ac0dd3095f0b

    SHA1

    93a124944de1d17b9bde6775d57de81f7e4bf823

    SHA256

    fd164ef2de46912b13a5a1719dd1a1c3c0acd26827782eca6abaa2ecd9984a70

    SHA512

    721cb0b4ab6fa97e2161d637e0ad900e82f0fbb900ea3317ca06a5623471608619449efdc99ad74fa6a46777c17c693c4464b565453d1a8f9813da0a03cc6c59

    Download Submit

  • \??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9ae47a96-9a56-46ed-b0aa-3d192e40ca7d}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    979f0b6934a5d877385bcf4118893190

    SHA1

    6db4564b9eaf213dbbc982fe3dea31e6614c6d62

    SHA256

    5411bf9b983634f0c5d91a58a6d0bd4e3d93856469a192b6fbfd1c5cc5396fab

    SHA512

    87475a08a1df33dfba5ddec781d1b4dde7299721d4c8b4166019c1ab86db51b8af1dc03669ad7deafcec2eba53b861af8ffb75e518c4469e7c68a96ec1077564

    Download Submit

  • memory/4844-147-0x0000000005770000-0x0000000005792000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4844-148-0x0000000006100000-0x0000000006166000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4844-149-0x0000000006090000-0x00000000060F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4844-150-0x00000000067B0000-0x00000000067CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4844-146-0x00000000059C0000-0x0000000005FE8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4844-152-0x00000000079A0000-0x0000000007A36000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4844-153-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4844-154-0x0000000006D20000-0x0000000006D42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4844-155-0x0000000008040000-0x00000000085E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4844-156-0x0000000008C70000-0x00000000092EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4844-145-0x0000000003190000-0x00000000031C6000-memory.dmp

    Filesize

    216KB

    Download