Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

30/06/2023, 08:09

230630-j2ll3agf35 7

30/06/2023, 08:03

230630-jxpg6age93 10

Analysis

  • max time kernel
    300s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2023, 08:09

General

  • Target

    新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi

  • Size

    2.4MB

  • MD5

    64039f083c96cab5ea0de62f789886ce

  • SHA1

    ffb89927ad892b7d6e3d6a88ec24a9d6a161dee2

  • SHA256

    f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f

  • SHA512

    8eee7c46b8a031858acabe871616e92e95d2e3b4be5b8eae425bc412dc51470c578c6991ba2f3d290a1b96a556853454ea0bb69336e54b9b7aa28354af998fae

  • SSDEEP

    49152:3BiErnG0fwkAjwzYUrngrwjCBt4CFFDO84D2nng01WQhNzvS65R8ct:XnGvMzYUrhjCBZPO84DH01WQXzvP5xt

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4488
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2808
      • C:\Program Files (x86)\默认公司名称\Firefox\4.exe
        "C:\Program Files (x86)\默认公司名称\Firefox\4.exe" /Commit
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1716
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1460

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\默认公司名称\Firefox\4.exe

      Filesize

      2.1MB

      MD5

      4ac3d60c4850e37a9b39976c1553df05

      SHA1

      45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c

      SHA256

      c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c

      SHA512

      7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753

    • C:\Program Files (x86)\默认公司名称\Firefox\4.exe

      Filesize

      2.1MB

      MD5

      4ac3d60c4850e37a9b39976c1553df05

      SHA1

      45e5a0e35be7034e38543fc1a0c3f9ca3808fa5c

      SHA256

      c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c

      SHA512

      7b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2K9QMOPD\8Q0ICXP2.htm

      Filesize

      377KB

      MD5

      7f188c456856eb42385eb47b3682a6eb

      SHA1

      d05335d2542a2099f088cb548209f9c4ece3e52a

      SHA256

      b5cbd3f085ca7c6ccddb1e6b648885a2f24bd414eaab582a56568142dbf5f1fd

      SHA512

      29e430d1f4bec7cb560e5b6fe53610581f1b8a2a6d2f8d75423f4ba6725ff3686d5cb5441373d991314aa0edad456537b537698636f1e575adc1d8692df1d03e

    • C:\Users\Public\Pictures\ms.dll

      Filesize

      41KB

      MD5

      d0a62532cecac152bc553474d5899a94

      SHA1

      fbb691817dfbae7518648c82304e42288b8354e3

      SHA256

      242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49

      SHA512

      9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.0MB

      MD5

      f6cdfa05ae50642f49b9c9f0f3ab745f

      SHA1

      c2c1b115f6f9f556dcba9f2b75e23783b3f1832a

      SHA256

      ae650ded4efb0151d2c38169f0b7ed515e9e07bf8415d9acfa406affa54809f8

      SHA512

      e8618bed7235ad97def0eb606972bad933f09c6f3af59c6f0272e99419cd303d5deef8ba39a3898f8c2f3d209887604671c770cfbb70ec2295ba283291c66671

    • \??\Volume{7f35703c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ed52cdd9-b887-4b6e-8540-71880bda00f3}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      c9d04c7a97d36a8b0c11ef1a81437df0

      SHA1

      d2fb34cb36a5828404badf019e1537df0d93c9ab

      SHA256

      e68bb93c34955b8bf7f23aea3ae0e3018cfbb417dcd1d53ffad418218229ff20

      SHA512

      357bc4b4e8826cb2e8b6d37d0ddc47be061c8500053b7699b5e211276b6fe88ad5a8174a6f87c9837dda7fb9fc8c963a3738d2704fa69a0ffb4cff976793994e

    • memory/1716-152-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

    • memory/1716-155-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

    • memory/1716-161-0x0000000010000000-0x0000000010021000-memory.dmp

      Filesize

      132KB

    • memory/1716-171-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

    • memory/1716-173-0x0000000010000000-0x0000000010021000-memory.dmp

      Filesize

      132KB