Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    191s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    03/08/2023, 00:30

General

  • Target

    ContentComponents.msi

  • Size

    2.0MB

  • MD5

    1f876453b919daccdaea21f385fb1e28

  • SHA1

    76e82c01a564ca43f91790a063deca7f6aa28bdd

  • SHA256

    96fac7a175e67b7a1ba4e33932507d3990a60f8eda19756f0fa939ee0e2f27bc

  • SHA512

    ade298d51b8334d9ace7d8a8c6f27546c1b5de67e71d4bc5f58446792867d90ba2077bc440e6cfba2b6e934727515df932883894381b124881977577c48e985d

  • SSDEEP

    24576:xtrig59Qb7S9DR4AZqDH8TEDlID+RMyX99Gz3Ax5e6kWYIX1YTSqDN2+Qol6Ogz9:v2MN4jDcgB56y9i3E5e69RXGSXHe

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ContentComponents.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4996
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3148
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\e595d78.msi

    Filesize

    2.0MB

    MD5

    1f876453b919daccdaea21f385fb1e28

    SHA1

    76e82c01a564ca43f91790a063deca7f6aa28bdd

    SHA256

    96fac7a175e67b7a1ba4e33932507d3990a60f8eda19756f0fa939ee0e2f27bc

    SHA512

    ade298d51b8334d9ace7d8a8c6f27546c1b5de67e71d4bc5f58446792867d90ba2077bc440e6cfba2b6e934727515df932883894381b124881977577c48e985d

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.0MB

    MD5

    4ce9dd2bf24f58cf8c593ebd7203ea50

    SHA1

    828c2cde9d1cb0c0a38d0a183ec29f992eadd079

    SHA256

    088a07a167c5695d096ca2be8c3f0bc0d258cbed5d370e2b18be53d70a8f876a

    SHA512

    107567954a6e165d2010c7c59d0cb5cad0f4f9a6d764ff8bed572c3bcd998d0afd4549fb3cb21ac9283711cb8b85eb167e737ee4961dceb3c45ae0a74c4674c0

  • \??\Volume{e5d54008-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2f6cca6e-75ee-44bd-b741-fa5f7560f09d}_OnDiskSnapshotProp

    Filesize

    5KB

    MD5

    6b6fe0d6857ab3a5a6be6b61469063ff

    SHA1

    9e2cf99246394ec7408860fc33b5af74c80b93b9

    SHA256

    f37969c165368d4054bb2c7659a0a535dea088655404d78d927df2b3a4855295

    SHA512

    4b5312f0bf0666abb5b6080e920c92539d9aec10e8b42cd9e5715a0f28f479c94a8ad2bbf1182b047dff9456686a95257f9af14be813a700168a0760ec49135a