Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

30/06/2023, 08:09

230630-j2ll3agf35 7

30/06/2023, 08:03

230630-jxpg6age93 10

Analysis

  • max time kernel
    299s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    30/06/2023, 08:09

General

  • Target

    新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi

  • Size

    2.4MB

  • MD5

    64039f083c96cab5ea0de62f789886ce

  • SHA1

    ffb89927ad892b7d6e3d6a88ec24a9d6a161dee2

  • SHA256

    f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f

  • SHA512

    8eee7c46b8a031858acabe871616e92e95d2e3b4be5b8eae425bc412dc51470c578c6991ba2f3d290a1b96a556853454ea0bb69336e54b9b7aa28354af998fae

  • SSDEEP

    49152:3BiErnG0fwkAjwzYUrngrwjCBt4CFFDO84D2nng01WQhNzvS65R8ct:XnGvMzYUrhjCBZPO84DH01WQXzvP5xt

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1128
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Program Files (x86)\默认公司名称\Firefox\4.exe
      "C:\Program Files (x86)\默认公司名称\Firefox\4.exe" /Commit
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1276
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:580
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000328" "0000000000000564"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\默认公司名称\Firefox\4.exe

    Filesize

    2.1MB

    MD5

    4ac3d60c4850e37a9b39976c1553df05

    SHA1

    45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c

    SHA256

    c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c

    SHA512

    7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPQI3YTS\5A94SPCZ.htm

    Filesize

    377KB

    MD5

    4774e0999e7b5d0539f1577c1f628a91

    SHA1

    88c0ae3139a4ac1c19b96297249f370d2627a245

    SHA256

    65c65121c3deba8f282609f513ae2b8b2ca0c6f9c793c4eee9832510dff53de1

    SHA512

    a16e35326639cb29299a5a06257a779b21145f39afa0e6528a625ec0f18048a67e1d8962258d55d19d7daf2e232c6d8945ef9dba862614410af9dd8c47c2470b

  • \Users\Public\Pictures\zl.dll

    Filesize

    41KB

    MD5

    d0a62532cecac152bc553474d5899a94

    SHA1

    fbb691817dfbae7518648c82304e42288b8354e3

    SHA256

    242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49

    SHA512

    9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

  • memory/1276-73-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

  • memory/1276-80-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

  • memory/1276-90-0x0000000000400000-0x0000000000873000-memory.dmp

    Filesize

    4.4MB

  • memory/1276-91-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB