Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    95s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/06/2023, 22:23

General

  • Target

    PrimaryInteropAssembly.exe

  • Size

    6.3MB

  • MD5

    2ebeb31f8ee253419906ca1c20fc807f

  • SHA1

    82acccd5a1e3944b7d6da84ece03070a51e89def

  • SHA256

    7b3b21b2fc2cfa707ad58c5a3e57fcfd16914ebdb9d634dcc711785843d5cc19

  • SHA512

    19f98284b4471155b4b75581d59b8bc8fa3c8fcf18e4dfe3d3d963c05e2aff7ac5d2f6f175c9a6858fa224cae9f795b675d667f0492fbbbe7e8d576156aae6d8

  • SSDEEP

    196608:PmGMoxY8gmavHF2+8moxPSuaChYeZreeqdTU553:Pm/FPz8moxPlaCLreJdm3

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\PrimaryInteropAssembly.exe
    "C:\Users\Admin\AppData\Local\Temp\PrimaryInteropAssembly.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    PID:4688
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4564
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\New folder\o2007pia.msi"
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4588
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4072
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1464
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\OWP56B0.tmp\eula.txt

      Filesize

      13KB

      MD5

      e042ebfc2fdb4a0fe0bc4a2f230cc17d

      SHA1

      906e5c63ee8eb5684ec86ac4f59332ee4ad6b63d

      SHA256

      b867cf1adabdd77c442a11cd158d2c01aa8dd333556db19cb1f496d22783f2ef

      SHA512

      9a6038c9e27d169864af7657f250c6798bbec787dbd68bc20974b1caa901aced15fa8e134d09bc1265d8cc7863dafcb95a0c2b9f859e0197afe6cdf74a500830

    • C:\Users\Admin\Desktop\New folder\o2007pia.msi

      Filesize

      6.8MB

      MD5

      34de40c44905a0dd566cd070fd71afb6

      SHA1

      92751db9eab2b1152e8bf41cd694bb55ef33ece1

      SHA256

      e9d6035fad03e7d3fef501e7600ec468f09a43a3af911d6d4333ed5f82328a04

      SHA512

      21184b8e22601298c36bf594424cbdd8f81724ca44b073379ef442d09bd7bcc6562a4438bfbbe250f11162765284a8debe53bd656862438c6bce5d3bacbe7447

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      25.0MB

      MD5

      9fcb75d87ed3845e7e087baf92c58aae

      SHA1

      b688b5a3b0c8843272bf7dd296d00f39548cb0ee

      SHA256

      190a1bf3f0af29fc87570b1d71909b213fe4fba6bc65168380ff24500108902b

      SHA512

      67a8c806c0ce370c2f73868a7bfde77a7839af309631dc0f0a762ded7419c0da1cec860a5058d27578ad56610b43160336b5ba729b163de96ce1bc26ff829fd1

    • \??\Volume{4080e03d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{56399ecd-b991-40c3-96a3-5c1df2307d97}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      53261813557daae45650b15635a74334

      SHA1

      c4c25eaf19f00870662ba52c163159305b88e30b

      SHA256

      e2d89d1d11346b753f88be29f4c1b71bceb8b8c72b1bc2e74febf28fab78fd33

      SHA512

      adcce4133fc8375086ef00f9d687fec0b2eee641dddadee71b677edc5555fcb13eade1b4e2fbb29c051f4e304446e90c6f12d7d65979993539eb587c7eb64cd8