Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2023, 08:09
Behavioral task
behavioral1
Sample
新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi
Resource
win7-20230621-en
General
-
Target
新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi
-
Size
2.4MB
-
MD5
64039f083c96cab5ea0de62f789886ce
-
SHA1
ffb89927ad892b7d6e3d6a88ec24a9d6a161dee2
-
SHA256
f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f
-
SHA512
8eee7c46b8a031858acabe871616e92e95d2e3b4be5b8eae425bc412dc51470c578c6991ba2f3d290a1b96a556853454ea0bb69336e54b9b7aa28354af998fae
-
SSDEEP
49152:3BiErnG0fwkAjwzYUrngrwjCBt4CFFDO84D2nng01WQhNzvS65R8ct:XnGvMzYUrhjCBZPO84DH01WQXzvP5xt
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023149-158.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1716 4.exe -
Loads dropped DLL 1 IoCs
pid Process 1716 4.exe -
resource yara_rule behavioral2/files/0x0007000000023149-158.dat upx -
resource yara_rule behavioral2/files/0x00060000000232ba-150.dat vmprotect behavioral2/files/0x00060000000232ba-151.dat vmprotect behavioral2/memory/1716-152-0x0000000000400000-0x0000000000873000-memory.dmp vmprotect behavioral2/memory/1716-155-0x0000000000400000-0x0000000000873000-memory.dmp vmprotect behavioral2/memory/1716-171-0x0000000000400000-0x0000000000873000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\默认公司名称\Firefox\1.exe msiexec.exe File created C:\Program Files (x86)\默认公司名称\Firefox\4.exe msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{86E75AD9-70FC-48CE-A92B-0217573E20DF} msiexec.exe File opened for modification C:\Windows\Installer\MSI4602.tmp msiexec.exe File created C:\Windows\Installer\e5744db.msi msiexec.exe File created C:\Windows\Installer\e5744d9.msi msiexec.exe File opened for modification C:\Windows\Installer\e5744d9.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c70357fb409b87e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c70357f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809003c70357f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809193c70357f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c70357f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1540 msiexec.exe 1540 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4488 msiexec.exe Token: SeIncreaseQuotaPrivilege 4488 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeCreateTokenPrivilege 4488 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4488 msiexec.exe Token: SeLockMemoryPrivilege 4488 msiexec.exe Token: SeIncreaseQuotaPrivilege 4488 msiexec.exe Token: SeMachineAccountPrivilege 4488 msiexec.exe Token: SeTcbPrivilege 4488 msiexec.exe Token: SeSecurityPrivilege 4488 msiexec.exe Token: SeTakeOwnershipPrivilege 4488 msiexec.exe Token: SeLoadDriverPrivilege 4488 msiexec.exe Token: SeSystemProfilePrivilege 4488 msiexec.exe Token: SeSystemtimePrivilege 4488 msiexec.exe Token: SeProfSingleProcessPrivilege 4488 msiexec.exe Token: SeIncBasePriorityPrivilege 4488 msiexec.exe Token: SeCreatePagefilePrivilege 4488 msiexec.exe Token: SeCreatePermanentPrivilege 4488 msiexec.exe Token: SeBackupPrivilege 4488 msiexec.exe Token: SeRestorePrivilege 4488 msiexec.exe Token: SeShutdownPrivilege 4488 msiexec.exe Token: SeDebugPrivilege 4488 msiexec.exe Token: SeAuditPrivilege 4488 msiexec.exe Token: SeSystemEnvironmentPrivilege 4488 msiexec.exe Token: SeChangeNotifyPrivilege 4488 msiexec.exe Token: SeRemoteShutdownPrivilege 4488 msiexec.exe Token: SeUndockPrivilege 4488 msiexec.exe Token: SeSyncAgentPrivilege 4488 msiexec.exe Token: SeEnableDelegationPrivilege 4488 msiexec.exe Token: SeManageVolumePrivilege 4488 msiexec.exe Token: SeImpersonatePrivilege 4488 msiexec.exe Token: SeCreateGlobalPrivilege 4488 msiexec.exe Token: SeBackupPrivilege 1460 vssvc.exe Token: SeRestorePrivilege 1460 vssvc.exe Token: SeAuditPrivilege 1460 vssvc.exe Token: SeBackupPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4488 msiexec.exe 4488 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1716 4.exe 1716 4.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2808 1540 msiexec.exe 102 PID 1540 wrote to memory of 2808 1540 msiexec.exe 102 PID 1540 wrote to memory of 1716 1540 msiexec.exe 104 PID 1540 wrote to memory of 1716 1540 msiexec.exe 104 PID 1540 wrote to memory of 1716 1540 msiexec.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2808
-
-
C:\Program Files (x86)\默认公司名称\Firefox\4.exe"C:\Program Files (x86)\默认公司名称\Firefox\4.exe" /Commit2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54ac3d60c4850e37a9b39976c1553df05
SHA145e5a0e35be7034e38543fc1a0c3f9ca3808fa5c
SHA256c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c
SHA5127b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753
-
Filesize
2.1MB
MD54ac3d60c4850e37a9b39976c1553df05
SHA145e5a0e35be7034e38543fc1a0c3f9ca3808fa5c
SHA256c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c
SHA5127b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753
-
Filesize
377KB
MD57f188c456856eb42385eb47b3682a6eb
SHA1d05335d2542a2099f088cb548209f9c4ece3e52a
SHA256b5cbd3f085ca7c6ccddb1e6b648885a2f24bd414eaab582a56568142dbf5f1fd
SHA51229e430d1f4bec7cb560e5b6fe53610581f1b8a2a6d2f8d75423f4ba6725ff3686d5cb5441373d991314aa0edad456537b537698636f1e575adc1d8692df1d03e
-
Filesize
41KB
MD5d0a62532cecac152bc553474d5899a94
SHA1fbb691817dfbae7518648c82304e42288b8354e3
SHA256242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49
SHA5129e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51
-
Filesize
23.0MB
MD5f6cdfa05ae50642f49b9c9f0f3ab745f
SHA1c2c1b115f6f9f556dcba9f2b75e23783b3f1832a
SHA256ae650ded4efb0151d2c38169f0b7ed515e9e07bf8415d9acfa406affa54809f8
SHA512e8618bed7235ad97def0eb606972bad933f09c6f3af59c6f0272e99419cd303d5deef8ba39a3898f8c2f3d209887604671c770cfbb70ec2295ba283291c66671
-
\??\Volume{7f35703c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ed52cdd9-b887-4b6e-8540-71880bda00f3}_OnDiskSnapshotProp
Filesize5KB
MD5c9d04c7a97d36a8b0c11ef1a81437df0
SHA1d2fb34cb36a5828404badf019e1537df0d93c9ab
SHA256e68bb93c34955b8bf7f23aea3ae0e3018cfbb417dcd1d53ffad418218229ff20
SHA512357bc4b4e8826cb2e8b6d37d0ddc47be061c8500053b7699b5e211276b6fe88ad5a8174a6f87c9837dda7fb9fc8c963a3738d2704fa69a0ffb4cff976793994e