Overview

overview

8

Static

static

1

TortoiseGi...it.msi

windows7-x64

8

TortoiseGi...it.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    109s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13-04-2023 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TortoiseGit-2.14.0.0-64bit.msi

  • Size

    21.6MB

  • MD5

    ca36bf3998301057ab7f4f64a84085f5

  • SHA1

    66353468825a754f384f9c1bd3e34b37bd9071f7

  • SHA256

    df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

  • SHA512

    87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636

  • SSDEEP

    393216:348DJa1Zmo8Swa0evzN0eAUAyzziv7asm7sf7SG8aQASSV7e9Jdmq6sbNyPDN:348Vkmz4zN0KA1TgcqarSSV7e4bB

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TortoiseGit-2.14.0.0-64bit.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1092
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Registers COM server for autorun
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2285FCDCF1B7C473A4760FE99F850E33
      2⤵
      • Loads dropped DLL
      PID:1564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1584
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000590"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\6d6ae6.rbs
    Filesize

    112KB

    MD5

    3ec67686ea007d74d145abbf4ac35983

    SHA1

    af6eeb075bb0b7109b06a1726ce57106eea95bab

    SHA256

    9a456b88100e0874bc8f0759d218d1d74577b4cb542dfe3283dcc2508f85375f

    SHA512

    8d94172ec891d94d9d506dbadec6d4e9dbfee7bbc75f9dc074e835bf7fd99b2ec37623a581bdc4c46fdb5f2feac18629e9e3d2f41b86e71a341ec7b64a4d60ec

    Download Submit

  • C:\Program Files (x86)\Common Files\TortoiseOverlays\icons\XPStyle\IgnoredIcon.ico
    Filesize

    31KB

    MD5

    cf15744ad19756eb089f48848a0b0514

    SHA1

    a68ddf3b4553b34e2b6cd6aa30e6242a6ea9ec60

    SHA256

    8e8c74fb8ed84184c0671df1d6a17f538a5926981e2d0f05603d87f7a3100f5b

    SHA512

    c5c87e8e0c85068a14b28ad269ef12561611df41205d0490c1e5dbbe167c4d538ab3941cddf4fb26ea28a8ab0d4d6fca1a8665b558b1cea6f55c34546bbe205d

    Download Submit

  • C:\Program Files\TortoiseGit\bin\TortoiseGitProc.exe
    Filesize

    13.0MB

    MD5

    0aeb946e4b63cf02c5b9298d54dd5119

    SHA1

    372c990319f325d7c9adcb58b859b4d6397f5f59

    SHA256

    d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

    SHA512

    884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\538F535B7FBDE384E456CC9F5DA5FBAB
    Filesize

    1KB

    MD5

    6d469ed9256d08235b5e747d1e27dbf2

    SHA1

    d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092

    SHA256

    b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804

    SHA512

    04cbf2a5f740d030208136b0ee1db38299943c74efa55045f564268246a929018fcaf26aa02768bb20321aa3f70c4609c163c75a3929ef8da016de000566a74c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\538F535B7FBDE384E456CC9F5DA5FBAB
    Filesize

    194B

    MD5

    067c039c47f14f640c36f5544362bdba

    SHA1

    536b797b99cd9228c4e04cd19bb8d9693925b6dc

    SHA256

    afb375766f668fdf3d732541f0d92583497bb78d112bd28514f2605fa1fbc510

    SHA512

    1772be75dbabe70dcfb9e864fc942cc59ea3ea890ae75fefe6faf015f0570202eedf749ad4d8c8974c228025ff92f1c1d9086a4d67888eaf2cab00f517e3e7a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cd649a0521979836d05e60dffeb1a785

    SHA1

    1330a672b04cc40a32b453b27449f1f3da525cc1

    SHA256

    deb671cb958759d2624f8e52258f61537acd595f5132c242e32b681fe377fd9b

    SHA512

    27711508519c89714c52996990af3894a0ebef54ec6077ebb9a3b0e33bb6551b022718649bbe1b8f54fe47b09a08c5effeb3d5fee74cda9b9ab7cf958c21d8ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab18F0.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar19DD.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1F50.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit

  • C:\Windows\Installer\6d6ae4.msi
    Filesize

    21.6MB

    MD5

    ca36bf3998301057ab7f4f64a84085f5

    SHA1

    66353468825a754f384f9c1bd3e34b37bd9071f7

    SHA256

    df07f0f3d9888fd153d5d08f4a8ccb1ba4f2553316d78e101c1800bc42f9ad0c

    SHA512

    87ad935e1329a0e6076b3a58e27e149b08adbc516328ecbe47707d41601af9b0277a8a591a5fee723d3d9e9778e123e6434f23d1a930b12d5f10519df6f23636

    Download Submit

  • C:\Windows\Installer\MSI8031.tmp
    Filesize

    233KB

    MD5

    69ce0f47a489fc5ed1980b43bf0eb0e6

    SHA1

    3f6d8ceece019812d43a0de767fc7bd72f2ce241

    SHA256

    b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

    SHA512

    ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

    Download Submit

  • \Program Files\TortoiseGit\bin\TortoiseGitIDiff.exe
    Filesize

    440KB

    MD5

    b6eae80b20499aceb8909463d01ff965

    SHA1

    95a49bc34df516912c7e0f607280a27e945edbb7

    SHA256

    738df1e15728654cb627de1bd3125350aac7a9488dded86dcb3eb683756522e9

    SHA512

    12c10fba7d76531985de1236cd12d723511fbb340112446cd81eb22240e66e0e5b24369222b5f198477b11e9c066d16c2d517d968e2318a3ad4238116d8c6615

    Download Submit

  • \Program Files\TortoiseGit\bin\TortoiseGitMerge.exe
    Filesize

    2.0MB

    MD5

    3d4de9fe3ac403524f2c728e80f48a49

    SHA1

    b954379c3fbabb1bb12ccf5cf1d51ad5b8eb8a9e

    SHA256

    b28802fad12ac1b7b7644bb3122a7ea6a9eb95babd9d2f8cb25353ad331a1472

    SHA512

    5e7321476f6d164c206b6b30562f613f6e6a744ebe4e46f40d8fb61b5a393eba902ae7d152d205c2d40bd74adc4f5ace92ccfd42f1295bc8db0294de9b1fb708

    Download Submit

  • \Program Files\TortoiseGit\bin\TortoiseGitProc.exe
    Filesize

    13.0MB

    MD5

    0aeb946e4b63cf02c5b9298d54dd5119

    SHA1

    372c990319f325d7c9adcb58b859b4d6397f5f59

    SHA256

    d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

    SHA512

    884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

    Download Submit

  • \Program Files\TortoiseGit\bin\TortoiseGitProc.exe
    Filesize

    13.0MB

    MD5

    0aeb946e4b63cf02c5b9298d54dd5119

    SHA1

    372c990319f325d7c9adcb58b859b4d6397f5f59

    SHA256

    d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

    SHA512

    884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

    Download Submit

  • \Program Files\TortoiseGit\bin\TortoiseGitProc.exe
    Filesize

    13.0MB

    MD5

    0aeb946e4b63cf02c5b9298d54dd5119

    SHA1

    372c990319f325d7c9adcb58b859b4d6397f5f59

    SHA256

    d3293cbcf17127a6900372853fdc1c662856c7b0a7cc2b34927ceb6c716f6abd

    SHA512

    884a79295b6d79b7c297f8366e5727e96f9eeacd4268e3e221c3b76e3c39b8d9782f356fa9522e799e52d5ae9c85dcc6be9b12bfc14cc10f39966483eb24a39c

    Download Submit

  • \Program Files\TortoiseGit\bin\notepad2.exe
    Filesize

    1.6MB

    MD5

    54992ff20eaa7440ef551188f9c2450a

    SHA1

    f6692ea4beed97095164a7efade66e045d7e9030

    SHA256

    3c62e40eee156d25cc70c1b9d486b686e3450261f19df7413f82e817586d054c

    SHA512

    cc05a56995d1697b721a0d09c1f19b68412569fa5c10efa3d5d23b41b0bab506e126126b001778e6f933ed73ecd4e953361b0057ffe27cbafecfd0d2b5df96dc

    Download Submit

  • \Program Files\TortoiseGit\bin\pageant.exe
    Filesize

    868KB

    MD5

    bb6d0d0890b52efa09d6314e569b0ab8

    SHA1

    e920d39e2f3a3ef990dc930bba2369c28ab9fb06

    SHA256

    58d070cf471435a1c4d34085048c8306d986ae660da8bae27d863f10d0474d64

    SHA512

    c11d691877d4ffdbcc4504f5babd05b902ae5c3cba768630a727b5be23c77fb69321567c99f714ed627ed37d9131f82ae1d46d7d192730aa8dc84b63c39c00e8

    Download Submit

  • \Program Files\TortoiseGit\bin\puttygen.exe
    Filesize

    945KB

    MD5

    67a048ba1f1b257470b1d0559c4ddd1a

    SHA1

    26eddc9c661894827c6531811b675b6990c5834b

    SHA256

    2339389cd0ab813d97300b8bb2f5757f82a18e5e1bb112c698d87ce6fcce7277

    SHA512

    75a1412eee3448d8558a7104fa7ef009f7f625e30e0272cfbed4b4cd87a485b092ea2b563bb35f6ba3fc253e2891195df6bbbbb3e033d85360d43f39adf9dd6c

    Download Submit

  • \Windows\Installer\MSI8031.tmp
    Filesize

    233KB

    MD5

    69ce0f47a489fc5ed1980b43bf0eb0e6

    SHA1

    3f6d8ceece019812d43a0de767fc7bd72f2ce241

    SHA256

    b29b65905905f7d9279737fad9ee4dbfb9375109ec03c0db2d96e11b031e9a70

    SHA512

    ade5af5a8ca4716eb651d7de0f9bfd9c2f155884a022312fa808439f56b55ac5375dda3b4cd2dcf9af105d99cdc991e74250246f7c600a13b80507859bf43bb7

    Download Submit