Overview

overview

8

Static

static

1

TortoiseGi...it.msi

windows7-x64

8

TortoiseGi...it.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12/04/2023, 19:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    TortoiseGit-2.14.0.0-64bit.msi

  • Size

    21.6MB

  • MD5

    ca36bf3998301057ab7f4f64a84085f5

  • SHA1

    66353468825a754f384f9c1bd3e34b37bd9071f7

  • SHA256

    df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

  • SHA512

    87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636

  • SSDEEP

    393216:348DJa1Zmo8Swa0evzN0eAUAyzziv7asm7sf7SG8aQASSV7e9Jdmq6sbNyPDN:348Vkmz4zN0KA1TgcqarSSV7e4bB

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TortoiseGit-2.14.0.0-64bit.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1996
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Registers COM server for autorun
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 53B2576E1CC9387DA546A0C133B781F3
      2⤵
      • Loads dropped DLL
      PID:1808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:676
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000004A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1348

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\6d67cb.rbs
          Filesize

          112KB

          MD5

          58c48b00df947432ad1f5ec9ba8f735d

          SHA1

          87b0efb12d210a7cf409312b3b5d472f856801d0

          SHA256

          6789283ff58a88e0828673a7420a8c1fc92e60e1fa2444bd48d4e4d3a9bef55d

          SHA512

          cbf8191b0c29a79368de9abfafacf3c1fe37de326af8f837b480b5cb5153688b9cd107842be1546b50ba6c602b8c68fb7596dd494eda7aef9bf8ef08236ef6bb

          Download Submit

        • C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\IgnoredIcon.ico
          Filesize

          31KB

          MD5

          cf15744ad19756eb089f48848a0b0514

          SHA1

          a68ddf3b4553b34e2b6cd6aa30e6242a6ea9ec60

          SHA256

          8e8c74fb8ed84184c0671df1d6a17f538a5926981e2d0f05603d87f7a3100f5b

          SHA512

          c5c87e8e0c85068a14b28ad269ef12561611df41205d0490c1e5dbbe167c4d538ab3941cddf4fb26ea28a8ab0d4d6fca1a8665b558b1cea6f55c34546bbe205d

          Download Submit

        • C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe
          Filesize

          13.0MB

          MD5

          0aeb946e4b63cf02c5b9298d54dd5119

          SHA1

          372c990319f325d7c9adcb58b859b4d6397f5f59

          SHA256

          d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

          SHA512

          884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\538F535B7FBDE384E456CC9F5DA5FBAB
          Filesize

          1KB

          MD5

          6d469ed9256d08235b5e747d1e27dbf2

          SHA1

          d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092

          SHA256

          b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804

          SHA512

          04cbf2a5f740d030208136b0ee1db38299943c74efa55045f564268246a929018fcaf26aa02768bb20321aa3f70c4609c163c75a3929ef8da016de000566a74c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          e71c8443ae0bc2e282c73faead0a6dd3

          SHA1

          0c110c1b01e68edfacaeae64781a37b1995fa94b

          SHA256

          95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

          SHA512

          b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          e71c8443ae0bc2e282c73faead0a6dd3

          SHA1

          0c110c1b01e68edfacaeae64781a37b1995fa94b

          SHA256

          95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

          SHA512

          b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\538F535B7FBDE384E456CC9F5DA5FBAB
          Filesize

          194B

          MD5

          fbd2735cea3b67cb64f97cbaf38efd7e

          SHA1

          4daf358a83790cc72e0ce2647f1e928d409f52e1

          SHA256

          38bd9cffc078dcc0a48f08bc00934c6f90a54859eaa25624b46fe2fa083ea2a7

          SHA512

          d5799c2b4cc09bbb81bccd207446a4edaf4d31d947cff4327f91ccfeeec678ac33310c84cd7282eae4abef9366d9209f8e94fe29e1ee2f8f7331f4ed8ea26fb6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          22522ff311b3de6b701c4a4ae77b8498

          SHA1

          174f79258aa3278b76dc0e454edda974bce6b4e6

          SHA256

          d8ca2575b06e306811a4a168413e3cd0f868718f5ee9a8ceaea2985f4be22799

          SHA512

          06a5fd7ca4dfa925686a94ba785ae4d115b25b21485b45879e8028cd65e13e8abef51b497040498b20537b1fcd15873301ecbd8a2a11c50451abefce57cc1dc1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabF01.tmp
          Filesize

          61KB

          MD5

          fc4666cbca561e864e7fdf883a9e6661

          SHA1

          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

          SHA256

          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

          SHA512

          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar105B.tmp
          Filesize

          161KB

          MD5

          73b4b714b42fc9a6aaefd0ae59adb009

          SHA1

          efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

          SHA256

          c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

          SHA512

          73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar11F7.tmp
          Filesize

          161KB

          MD5

          be2bec6e8c5653136d3e72fe53c98aa3

          SHA1

          a8182d6db17c14671c3d5766c72e58d87c0810de

          SHA256

          1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

          SHA512

          0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

          Download Submit

        • C:\Windows\Installer\6d67c9.msi
          Filesize

          21.6MB

          MD5

          ca36bf3998301057ab7f4f64a84085f5

          SHA1

          66353468825a754f384f9c1bd3e34b37bd9071f7

          SHA256

          df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

          SHA512

          87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636

          Download Submit

        • C:\Windows\Installer\MSI6BE6.tmp
          Filesize

          233KB

          MD5

          69ce0f47a489fc5ed1980b43bf0eb0e6

          SHA1

          3f6d8ceece019812d43a0de767fc7bd72f2ce241

          SHA256

          b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

          SHA512

          ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

          Download Submit

        • \Program Files\TortoiseGit\bin\TortoiseGitIDiff.exe
          Filesize

          440KB

          MD5

          b6eae80b20499aceb8909463d01ff965

          SHA1

          95a49bc34df516912c7e0f607280a27e945edbb7

          SHA256

          738df1e15728654cb627de1bd3125350aac7a9488dded86dcb3eb683756522e9

          SHA512

          12c10fba7d76531985de1236cd12d723511fbb340112446cd81eb22240e66e0e5b24369222b5f198477b11e9c066d16c2d517d968e2318a3ad4238116d8c6615

          Download Submit

        • \Program Files\TortoiseGit\bin\TortoiseGitMerge.exe
          Filesize

          2.0MB

          MD5

          3d4de9fe3ac403524f2c728e80f48a49

          SHA1

          b954379c3fbabb1bb12ccf5cf1d51ad5b8eb8a9e

          SHA256

          b28802fad12ac1b7b7644bb3122a7ea6a9eb95babd9d2f8cb25353ad331a1472

          SHA512

          5e7321476f6d164c206b6b30562f613f6e6a744ebe4e46f40d8fb61b5a393eba902ae7d152d205c2d40bd74adc4f5ace92ccfd42f1295bc8db0294de9b1fb708

          Download Submit

        • \Program Files\TortoiseGit\bin\TortoiseGitProc.exe
          Filesize

          13.0MB

          MD5

          0aeb946e4b63cf02c5b9298d54dd5119

          SHA1

          372c990319f325d7c9adcb58b859b4d6397f5f59

          SHA256

          d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

          SHA512

          884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

          Download Submit

        • \Program Files\TortoiseGit\bin\TortoiseGitProc.exe
          Filesize

          13.0MB

          MD5

          0aeb946e4b63cf02c5b9298d54dd5119

          SHA1

          372c990319f325d7c9adcb58b859b4d6397f5f59

          SHA256

          d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

          SHA512

          884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

          Download Submit

        • \Program Files\TortoiseGit\bin\TortoiseGitProc.exe
          Filesize

          13.0MB

          MD5

          0aeb946e4b63cf02c5b9298d54dd5119

          SHA1

          372c990319f325d7c9adcb58b859b4d6397f5f59

          SHA256

          d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

          SHA512

          884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

          Download Submit

        • \Program Files\TortoiseGit\bin\notepad2.exe
          Filesize

          1.6MB

          MD5

          54992ff20eaa7440ef551188f9c2450a

          SHA1

          f6692ea4beed97095164a7efade66e045d7e9030

          SHA256

          3c62e40eee156d25cc70c1b9d486b686e3450261f19df7413f82e817586d054c

          SHA512

          cc05a56995d1697b721a0d09c1f19b68412569fa5c10efa3d5d23b41b0bab506e126126b001778e6f933ed73ecd4e953361b0057ffe27cbafecfd0d2b5df96dc

          Download Submit

        • \Program Files\TortoiseGit\bin\pageant.exe
          Filesize

          868KB

          MD5

          bb6d0d0890b52efa09d6314e569b0ab8

          SHA1

          e920d39e2f3a3ef990dc930bba2369c28ab9fb06

          SHA256

          58d070cf471435a1c4d34085048c8306d986ae660da8bae27d863f10d0474d64

          SHA512

          c11d691877d4ffdbcc4504f5babd05b902ae5c3cba768630a727b5be23c77fb69321567c99f714ed627ed37d9131f82ae1d46d7d192730aa8dc84b63c39c00e8

          Download Submit

        • \Program Files\TortoiseGit\bin\puttygen.exe
          Filesize

          945KB

          MD5

          67a048ba1f1b257470b1d0559c4ddd1a

          SHA1

          26eddc9c661894827c6531811b675b6990c5834b

          SHA256

          2339389cd0ab813d97300b8bb2f5757f82a18e5e1bb112c698d87ce6fcce7277

          SHA512

          75a1412eee3448d8558a7104fa7ef009f7f625e30e0272cfbed4b4cd87a485b092ea2b563bb35f6ba3fc253e2891195df6bbbbb3e033d85360d43f39adf9dd6c

          Download Submit

        • \Windows\Installer\MSI6BE6.tmp
          Filesize

          233KB

          MD5

          69ce0f47a489fc5ed1980b43bf0eb0e6

          SHA1

          3f6d8ceece019812d43a0de767fc7bd72f2ce241

          SHA256

          b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

          SHA512

          ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

          Download Submit