Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2022, 02:22

General

  • Target

    first_penetration_hymen_after_school_torn_vagina_photo.msi

  • Size

    493.7MB

  • MD5

    f30e0a07ab31aa82a9014d8626aa69a4

  • SHA1

    01da449c5ad5ff2ee9809a6ca45ef768805df7c0

  • SHA256

    72b098b0759c48d9a26366813435366cc4cb1d3017fe5952c3c5443d7372ec00

  • SHA512

    bc8d013135d65a79160a99c28fadce46279f216520ec2662afafd3d686d50e99d6e4ac5d95cbd33e438e11cb18116379dc8c2931f08abae67b7b6c2917acf5d4

  • SSDEEP

    24576:ckqW3m8d0IWpxnKrxLWg3sz88e7fh498+txBxotbD7+eoYBsQ0kaJFub7e:lvm89pHrh49ZtaJPzB29FQ7e

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\first_penetration_hymen_after_school_torn_vagina_photo.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1084
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 99349762F7E9FACAF5F105430BE05411
      2⤵
      • Loads dropped DLL
      PID:4536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

    Filesize

    471B

    MD5

    c7c4a68a3def2eda1ee9aa48befeb70a

    SHA1

    36cb1c17307a605aabb2888bfb55f79c4347b465

    SHA256

    d7e1102849309b7d9c1a0ea0166d4a1dc7c1b89c35552c029cae3ad30b586c7b

    SHA512

    79195177250c27980e4b0e46306d23db4e57fb5ef70330b0c39a1bd31aeb0a88d900a3bd22b1522f926609c3fad1c60750a99e127eead1ea355f97f5dcad3447

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937

    Filesize

    471B

    MD5

    7698d17f076d12b2708d519093eb4022

    SHA1

    59d7998e4ee036ce314f4025c7cabeee3dbe61b3

    SHA256

    029c6431c993f07f0183ea5b0acef6c5f6e0fc0eaa8ba913d1e30b762e80ad71

    SHA512

    4ab92144d75870d4cd1f2442999d3dd7e7b31a1ce0159c10de92d994e0f1d6a0c4119034c79076ba3b8740d3e4735a3b25ad5f5ee7ab8e4b47d64b046284e83e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

    Filesize

    434B

    MD5

    397ef3ae54d87f69028ebbc23be9ad53

    SHA1

    cfd28dbdd7adf6c4398e2698f19c1051c2750cda

    SHA256

    630df38cba944e798af7bb3e6c91bc812b71a5d0466287812661927fa98a27da

    SHA512

    20ebf978e716b6b44eb5dc9b1c5ecc62e1ef230064e3a26b647424e3ab9d88bf6ccb87df30f471466fe6dd4dc473fcc38e1eb4d8920c7898e324d09a9cf5d680

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937

    Filesize

    434B

    MD5

    2ddd1520210152cb7002ea5720bbc61e

    SHA1

    5a3d1671e2f4cf60008eb4fccd8549db4e944cc8

    SHA256

    f06bca35375abf10669ea3213b0f5272d9b6c4eac5f34e70e10d17de471d074c

    SHA512

    6a9fea8a7317d8e2f40db3bc956ff90d060d1459f51408f4842d05b94db04995fba1520c164c3d7b2fcc4077fbfe37992d6f66d3c1b4c3007cd7d3222856bac8

  • C:\Windows\Installer\MSI4C8A.tmp

    Filesize

    464.8MB

    MD5

    72d04ad0ed94e0fb383b9e624c0a56f7

    SHA1

    1d5ec32e37da628a994698df147ce91b574cd21e

    SHA256

    e73d4e3381875518faf237528e5ee17aede897959e6f083b115c8ae810d23277

    SHA512

    29ecfcd1bb165b8acb66efd80ca35b6d96d944c21e9c9dc359d51526342b479ec6c48db692167e807ef1f56c16beab97a0e982d88b68fc7f7bdda52b82a911ff

  • C:\Windows\Installer\MSI4C8A.tmp

    Filesize

    469.1MB

    MD5

    60184db98c6b0d281b9893f04fa9759c

    SHA1

    203ffb671a11585a89e37cde82a20fb0b52a6bad

    SHA256

    3c6466d591375796ba88f762c73b455dad99fdb7a319f61ccb95209ba2f40723

    SHA512

    25e8e4a2f0ff2f32b6a6479ba48b1fc57f070608b0fd2031b6e264da63c3d4934e930fefff37345f6c4d47266e5446826d2ba14516e824f2296eaf7f0237681d

  • C:\Windows\Installer\MSI4C8A.tmp

    Filesize

    493.2MB

    MD5

    1d10eb16b41654fe606528cd6e6f9c39

    SHA1

    80ac2eb7c27b8517f71b6843e51574aaa6e04ad9

    SHA256

    310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c

    SHA512

    fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423

  • memory/4536-140-0x00000000215A0000-0x00000000216A2000-memory.dmp

    Filesize

    1.0MB

  • memory/4536-141-0x0000000002870000-0x0000000003870000-memory.dmp

    Filesize

    16.0MB

  • memory/4536-142-0x00000000215A0000-0x00000000216A2000-memory.dmp

    Filesize

    1.0MB

  • memory/4536-143-0x0000000002870000-0x0000000003870000-memory.dmp

    Filesize

    16.0MB

  • memory/4536-145-0x0000000002A30000-0x0000000002AE6000-memory.dmp

    Filesize

    728KB

  • memory/4536-148-0x0000000002870000-0x000000000295D000-memory.dmp

    Filesize

    948KB