Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

JJSploit_7...US.msi

windows7-x64

7

JJSploit_7...US.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2023, 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JJSploit_7.2.1_x86_en-US.msi

  • Size

    5.8MB

  • MD5

    4b884c18f4682189708c771c13ad573e

  • SHA1

    a74f992bc18c1936671cb38f1a94ce872ee4c687

  • SHA256

    e0b2d388d35046a5ce669e753adb96b8d6de670d352ae34fc41eaf79303a3d45

  • SHA512

    bc466b11352b4671caad01acb763d763e40a9e9d20eaf3e0f5b7e8d9b5ef939049570ee18e0e08301fc9cb65b9b83997cf9c884c3a0c47ac91fb1baabe980574

  • SSDEEP

    98304:Gr5BsITy5d5aaJweCkT8JdpF9aDK1ZcWmZYDpNTENWYbZkON/t1ZolL6r:EOITEaaJv+Jd9aDKUWJinDZol

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.2.1_x86_en-US.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2284
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 858EA47424D0B156A832A70F27F1D4C4 C
      2⤵
      • Loads dropped DLL
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1792
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:312
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E4" "0000000000000328"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1488
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:768
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:616

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\JJSploit\JJSploit.exe
          Filesize

          9.9MB

          MD5

          325420af7bbb170cc7c94e3cab26c169

          SHA1

          dce685934565878c8fb925a45b1a8ac30dbd482c

          SHA256

          72be69123b64e13408d5c6ff629eea2bb3a8860e522380afa3ba079ff9d179c7

          SHA512

          0a53bf1cf7dd0ad2f95faf9f5ce3867e7a59de3ccdee6b5342d640911c29a918ca8f4e0231fc0e5fa346439b4231ec8973bc7c7d65dccef8b178d52f86296c1e

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk
          Filesize

          2KB

          MD5

          a0a1ea9dd68e2778923305584c7ca8ca

          SHA1

          51b7a72d4cad9f9fff1fdd50e55192a29f66280b

          SHA256

          884ebc5ddb12470e53344a7f9ad3cb70f0952d1b7de9a21059d35a854f48b0c6

          SHA512

          87aadf811936e2d4daaf979ecf04a857d338b2f01fedcb0f4700cf6f2622f58c3a965c0bfb7bbb316b1a8d1cfa0bbf66103b4c85f8cfb2911df83371b3f2f5bf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MSI9369.tmp
          Filesize

          113KB

          MD5

          4fdd16752561cf585fed1506914d73e0

          SHA1

          f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

          SHA256

          aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

          SHA512

          3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

          Download Submit

        • C:\Windows\Installer\f76eb1a.msi
          Filesize

          5.8MB

          MD5

          4b884c18f4682189708c771c13ad573e

          SHA1

          a74f992bc18c1936671cb38f1a94ce872ee4c687

          SHA256

          e0b2d388d35046a5ce669e753adb96b8d6de670d352ae34fc41eaf79303a3d45

          SHA512

          bc466b11352b4671caad01acb763d763e40a9e9d20eaf3e0f5b7e8d9b5ef939049570ee18e0e08301fc9cb65b9b83997cf9c884c3a0c47ac91fb1baabe980574

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MSI9369.tmp
          Filesize

          113KB

          MD5

          4fdd16752561cf585fed1506914d73e0

          SHA1

          f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

          SHA256

          aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

          SHA512

          3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

          Download Submit

        • memory/616-158-0x0000000002760000-0x0000000002761000-memory.dmp

          Filesize

          4KB

          Download

        • memory/768-157-0x0000000002A40000-0x0000000002A41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1792-115-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1792-114-0x0000000002590000-0x0000000002610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1792-116-0x0000000002590000-0x0000000002610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1792-117-0x0000000002590000-0x0000000002610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1792-118-0x0000000002590000-0x0000000002610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1792-120-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1792-113-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1792-112-0x0000000002330000-0x0000000002338000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1792-111-0x000000001B190000-0x000000001B472000-memory.dmp

          Filesize

          2.9MB

          Download