Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

OINSTALL.exe

windows7-x64

10

OINSTALL.exe

windows10-2004-x64

Analysis

  • max time kernel
    23s
  • max time network
    29s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2023, 08:11

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    OINSTALL.exe

  • Size

    11.8MB

  • MD5

    ed1210b3c515ccdc89c8c919ace0d5c7

  • SHA1

    98ad0c0de859178532ace50c5a3219f7326074f8

  • SHA256

    4da5c99755138be6f7f6080c93b8d9262120dfef363092edef5c11f90f9d06a0

  • SHA512

    c65f72871d819c3d9ed8c429dde870e20a284bb958cb376d7535f4e4749122d274121f836543626bdfd7f9fce227161310ef61034fc9b3f9a0a0788b7071f663

  • SSDEEP

    196608:MxvDEJlrJ/3FMC7ujFXIDelqWRlrZOn+F2lEORWONUzoUz1SmEB9CI4J1GvrzkdN:Ww/3FMRN6el9rInQsAkUz1HOkyki+oA

Score
10/10
upx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe
    "C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3964
    • C:\Windows\system32\reg.exe
      "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
      2⤵
        PID:1812
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2404
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Users\Admin\AppData\Local\Temp\files\files.dat
          files.dat -y -pkmsauto
          3⤵
          • Executes dropped EXE
          PID:2296
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over353818\v32.cab') }"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        PID:2512
      • C:\Windows\SysWOW64\expand.exe
        "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over353818
        2⤵
        • Drops file in Windows directory
        PID:4008
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over353818\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
        2⤵
          PID:4464
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa39a0855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3yvf50g.25a.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\files\files.dat
        Filesize

        765KB

        MD5

        bb5569b15d68c10b7ff2d96b45825120

        SHA1

        d6d2ed450aae4552f550f59bffe3dd42d8377835

        SHA256

        4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

        SHA512

        640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\files\files.dat
        Filesize

        765KB

        MD5

        bb5569b15d68c10b7ff2d96b45825120

        SHA1

        d6d2ed450aae4552f550f59bffe3dd42d8377835

        SHA256

        4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

        SHA512

        640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\over353818\v32.cab
        Filesize

        11KB

        MD5

        1001374b634bbc8566a5ea123cf64abf

        SHA1

        35d1e1a9eded5354581f08d3207dd69d8cdb24d9

        SHA256

        2d8c1045e4be1285c5b57790a6e6117e7d8e31f74c191193b7eec0b6a45ec2fe

        SHA512

        e1fc58952f68e42b86fd222ba7c3c0d3ecfc20f3e83a8b1bdb2551ba70c2bab831729e499beace8c25f87ddaece0fe05d07b9c6a928a8af7b0d79e5cdb3635e2

        Download Submit

      • memory/2512-19-0x0000000002680000-0x00000000026B6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2512-35-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2512-20-0x0000000004DC0000-0x00000000053E8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2512-21-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2512-22-0x00000000054F0000-0x0000000005556000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2512-23-0x0000000005610000-0x0000000005676000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2512-18-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2512-33-0x0000000005780000-0x0000000005AD4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2512-34-0x0000000005C80000-0x0000000005C9E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2512-17-0x0000000072D90000-0x0000000073540000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2512-43-0x0000000072D90000-0x0000000073540000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2512-37-0x0000000002720000-0x0000000002730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2512-38-0x00000000072B0000-0x000000000792A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2512-39-0x0000000006180000-0x000000000619A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4848-36-0x0000000000400000-0x0000000001A99000-memory.dmp

        Filesize

        22.6MB

        Download

      • memory/4848-0-0x0000000000400000-0x0000000001A99000-memory.dmp

        Filesize

        22.6MB

        Download

      • memory/4848-44-0x0000000000400000-0x0000000001A99000-memory.dmp

        Filesize

        22.6MB

        Download

      • memory/4848-50-0x0000000000400000-0x0000000001A99000-memory.dmp

        Filesize

        22.6MB

        Download