Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1

Multa_0125...in.msi

windows7-x64

9

Multa_0125...in.msi

windows10-2004-x64

9

Analysis

  • max time kernel
    105s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2023, 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Multa_012544502.msi.bin.msi

  • Size

    6.4MB

  • MD5

    34b4652577806731f50e489999b5b800

  • SHA1

    2ea6202b8ceb7b839964ebc2f8db1d7ccad6d3a7

  • SHA256

    8774ab405a35ab53a2254ca8f52250ad7f98d9c65c7dcd45632de15e5c447b49

  • SHA512

    399dbec0062ef57f2bc5223bb5a55ad47a7bdecd25b8cceca4054bab6aa1f42aa278e4b630ac373e53313825b429888f1f7af6d2755d1999b75a83f119e61781

  • SSDEEP

    98304:x+hZETGO7pWl9qZgBkMCMo6f93ncyk7jqNpG1K/hTOz/xFYptMHA:x+bed7pZM26Vsyks5u/xs

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 6 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Themida packer 18 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Multa_012544502.msi.bin.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1676
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 51D07185B1C429A9180371C1F438C75E
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Users\Admin\AppData\Local\M4VDdL46H\HrT.x.exe
        "C:\Users\Admin\AppData\Local\M4VDdL46H\HrT.x.exe" "C:\Users\Admin\AppData\Local\M4VDdL46H\HrT.x.ahk"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:976
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
      PID:1988

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c983e.rbs
      Filesize

      1KB

      MD5

      0a12eeae8117cbaee7f83d9186b15f78

      SHA1

      5df27f945f3cde7e4ab220712c60da75bea7faba

      SHA256

      0d165aef79514ef445d15a8ff9c03e072cacccd6f296ca15235cf0dae69ba673

      SHA512

      5a40bd00af632380281fbb2fb1da5edd033ccacf12950bbb1b930b4d4a2fa6c24c309c6310ebad7382c3bb6902fd191bda6012e0084ed2070c95ec543eff02e1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      0cf322f934bef9559d39a8ea19e9ed1c

      SHA1

      2e6c246501ab6280c3d86c52c1825aacc8c9d283

      SHA256

      987cd1129f4058b182d04699391015c3078952791cc530330f465e348d235d7e

      SHA512

      8923c038402d552776bcfb9b46b4982ac01f5cbdba288da2892eab09583aafbbd8e243d1cb19cd40ba819a27b4ab09f88e7c4b7de4852dff365d96b29edcdb0d

      Download Submit

    • C:\Users\Admin\AppData\Local\M4VDdL46H\HrT.x.ahk
      Filesize

      202B

      MD5

      74067f2cb49ff17b2b393a4a6ba1b1e5

      SHA1

      5be7656c71bbb4450df4e5c5a1d02ad2a6e2ce48

      SHA256

      0ce75ec5575b544f6e9130182e58fea81ff573c9262c28fe125c91877f3cec3a

      SHA512

      7c7ee8c1471a693faa83973d7bfc68b248dd97875169f94eb275aedefe0e026ab3ae93a996181018bcc155e7f3e183b5b15463c7e0901bec0585627ac2bd0b3a

      Download Submit

    • C:\Users\Admin\AppData\Local\M4VDdL46H\HrT.x.exe
      Filesize

      889KB

      MD5

      03c469798bf1827d989f09f346ce95f7

      SHA1

      05e491bc1b8fbfbfdca24b565f2464137f30691e

      SHA256

      de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

      SHA512

      d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

      Download Submit

    • C:\Users\Admin\AppData\Local\M4VDdL46H\HrT.x.exe
      Filesize

      889KB

      MD5

      03c469798bf1827d989f09f346ce95f7

      SHA1

      05e491bc1b8fbfbfdca24b565f2464137f30691e

      SHA256

      de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

      SHA512

      d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

      Download Submit

    • C:\Users\Admin\AppData\Local\M4VDdL46H\TEBXHEJAON.OXo
      Filesize

      13.6MB

      MD5

      f89ac2e29ffd616ed6abb0d1ae5d8cc9

      SHA1

      7a326a05e116ac575f40ee18bffd00854780a2d8

      SHA256

      004186b6246c2a2f021c9c4c7d5da2fea29eae23e6a2068fe8ab666ced9b3867

      SHA512

      c7160a5fcdd36847ed646a5ca7b22d7d7d162de220a73b806277cdf66ca872193d8f870d7fd0e987375e91b15f104733efe33f562b48d00ff2750be94dcf3697

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab6C7.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar900.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Windows\Installer\MSI9954.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSI9F6D.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSIA038.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSIA038.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • C:\Windows\Installer\MSIC354.tmp
      Filesize

      5.8MB

      MD5

      a5094c4e30ad9cb9774ecf8d5ad880bb

      SHA1

      e866b5f356a60696a93a35aec1d4ef6b99b8da49

      SHA256

      55773203d973222565c520b50cd2dd83c1be0067e70dd6369ec9dc0c9e903286

      SHA512

      be1908623f82ee0a54e7fa9057f38ec8dd60cebeaddd30f0a382cdd4162294ed80d51656a1ef3923e79852755ba5cdc6b274d305547aac2eb9178dd41194c205

      Download Submit

    • \Users\Admin\AppData\Local\M4VDdL46H\HrT.x.exe
      Filesize

      889KB

      MD5

      03c469798bf1827d989f09f346ce95f7

      SHA1

      05e491bc1b8fbfbfdca24b565f2464137f30691e

      SHA256

      de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

      SHA512

      d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

      Download Submit

    • \Users\Admin\AppData\Local\M4VDdL46H\TEBXHEJAON.OXo
      Filesize

      13.6MB

      MD5

      f89ac2e29ffd616ed6abb0d1ae5d8cc9

      SHA1

      7a326a05e116ac575f40ee18bffd00854780a2d8

      SHA256

      004186b6246c2a2f021c9c4c7d5da2fea29eae23e6a2068fe8ab666ced9b3867

      SHA512

      c7160a5fcdd36847ed646a5ca7b22d7d7d162de220a73b806277cdf66ca872193d8f870d7fd0e987375e91b15f104733efe33f562b48d00ff2750be94dcf3697

      Download Submit

    • \Users\Admin\AppData\Local\Temp\365ea5b.dll
      Filesize

      8KB

      MD5

      d8f4ab8284f0fda871d6834e24bc6f37

      SHA1

      641948e44a1dcfd0ef68910768eb4b1ea6b49d10

      SHA256

      c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

      SHA512

      f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

      Download Submit

    • \Windows\Installer\MSI9954.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSI9F6D.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSIA038.tmp
      Filesize

      376KB

      MD5

      e12c5bcc254c953b1a46d1434804f4d2

      SHA1

      99f67acf34af1294f3c6e5eb521c862e1c772397

      SHA256

      5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

      SHA512

      9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

      Download Submit

    • \Windows\Installer\MSIC354.tmp
      Filesize

      5.8MB

      MD5

      a5094c4e30ad9cb9774ecf8d5ad880bb

      SHA1

      e866b5f356a60696a93a35aec1d4ef6b99b8da49

      SHA256

      55773203d973222565c520b50cd2dd83c1be0067e70dd6369ec9dc0c9e903286

      SHA512

      be1908623f82ee0a54e7fa9057f38ec8dd60cebeaddd30f0a382cdd4162294ed80d51656a1ef3923e79852755ba5cdc6b274d305547aac2eb9178dd41194c205

      Download Submit

    • memory/976-204-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-209-0x0000000061E00000-0x0000000061EC1000-memory.dmp

      Filesize

      772KB

      Download

    • memory/976-382-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-356-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-255-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-247-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-233-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-232-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/976-231-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-207-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-206-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-205-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-203-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-202-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-201-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-200-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-199-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/976-198-0x0000000003060000-0x000000000540D000-memory.dmp

      Filesize

      35.7MB

      Download

    • memory/1764-88-0x0000000000310000-0x0000000000311000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-71-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-76-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-78-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-79-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-82-0x00000000002B0000-0x00000000002B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-73-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-181-0x0000000000330000-0x0000000000331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-81-0x00000000002B0000-0x00000000002B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-84-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-75-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-85-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-74-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-87-0x0000000000310000-0x0000000000311000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-94-0x0000000000330000-0x0000000000331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-92-0x0000000002420000-0x000000000312B000-memory.dmp

      Filesize

      13.0MB

      Download

    • memory/1764-91-0x0000000000320000-0x0000000000321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-89-0x0000000000320000-0x0000000000321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-90-0x0000000000320000-0x0000000000321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1988-256-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download