Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

e109076882...JC.msi

windows7-x64

e109076882...JC.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2023, 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092_JC.msi

  • Size

    1.2MB

  • MD5

    91ab2c89608fc49633b2474493eea552

  • SHA1

    57149066ebee5648344587be63eb467d3d765e14

  • SHA256

    e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092

  • SHA512

    e67db51fabc2e9ab3601ad48be4cadf48c799cc3164e86b805e118170dd89e4a0bac03dc9690528e3e606dad123526e29abe7e366865fb2e9c3ec3e953c2e90c

  • SSDEEP

    24576:dg+xLNIYVNMvZCFlp8zBQSc0ZoCEqKlqS0Ygll5RRYM/ZXAAZ:dg6IY4W8zBQSc0ZnRKr8RRYGZXAA

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092_JC.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4208
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BF5A96D97B19BEFA796DE9B12637D4A0
      2⤵
      • Loads dropped DLL
      PID:1652
    • C:\Windows\Installer\MSI8CA0.tmp
      "C:\Windows\Installer\MSI8CA0.tmp" /DontWait /HideWindow "C:\Users\Admin\AppData\Roaming\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\fDdpuNcG.cmd"
      2⤵
      • Executes dropped EXE
      PID:1180
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\fDdpuNcG.cmd" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -windowstyle hidden -ExecutionPolicy Bypass -nop -NoExit -Command -
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\system32\shutdown.exe
        "C:\Windows\system32\shutdown.exe" -r -f -t 10 -c "Windows Updated Successfully"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo %fuGR5S?TqAPRkx% "
      2⤵
        PID:1936
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39b3855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5809c2.rbs
      Filesize

      3KB

      MD5

      349d63b56ebdb652c0544a5d4de63f78

      SHA1

      3292719323501c89b92f15ff5c9be144ecd54354

      SHA256

      f5a0136f9907902bca98662633965ea5627caa796fe280b22c4c8d0cdca8c4da

      SHA512

      f6cb303f65056fd5e872e7f461dd636ba2118511dccdb3268e95875f6395849df6b261797867c91d665571ad1355e9e17ac4a5ebe53b4835ef7287557732b7ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wis1opy.xfc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\fDdpuNcG.cmd
      Filesize

      30KB

      MD5

      5e94ca7417e9100775e8fa6c0f6cfb6a

      SHA1

      43680c9ba06b820eace8b04f5f99df0cc0524a41

      SHA256

      885ce089e82cee4e52a00f065268d33435a6f6a97a9c0a3e93f98e3e11cccfce

      SHA512

      f3252662116f8a675ab9c36e0b3327a9ced68568b6ad9308f48317359ff74578ac3da70d4b80240bf92d466b5cb4304c225211ccd2db159dacc8f3939c221007

      Download Submit

    • C:\Users\Admin\Documents\AMD64_\MyDoctF99CF7C®\BdeUnlockWizardCFacility3d02©.exe
      Filesize

      21KB

      MD5

      cc09bb7fdefc5763ccb3cf7dae2d76cf

      SHA1

      8610d07f27a961066134d728c82eb8e5f22e7e8f

      SHA256

      f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0

      SHA512

      0c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5

      Download Submit

    • C:\Users\Admin\Documents\AMD64_\MyDoctF99CF7C®\D078DFF18C2.zip
      Filesize

      10.9MB

      MD5

      e78c0fd9d5c689d61c691fbfb517ed96

      SHA1

      1e1a04bf53cad5d618ac13cbeee6799d7421da4c

      SHA256

      2ab006744dd9bd94662fb16dd769a1d91a0204afde1d38e8af4d852338f7eeb3

      SHA512

      e3f5cd34e125b3283faab822da06b4c02e106ee56bbd6092d452b7bed5dbae89c710ac27a2b253c0dd4a03934a824445b27efd1261121fa82e70d0d1b4c20c63

      Download Submit

    • C:\Windows\Installer\MSI6B87.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI6B87.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI7D4B.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI7D4B.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI7D4B.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI7EE2.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI7EE2.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSI8CA0.tmp
      Filesize

      389KB

      MD5

      377c83c6f0f37653ff911dc06e6c4274

      SHA1

      ce1e53b5bf0a220346ab7379b93c4341c24fdd8a

      SHA256

      c290a133b60220479acf0469781de847eb7e4a6b0c92de45ee9223be5e0ca769

      SHA512

      47bed026ef3d3e1a88a8cec3e0e2904029ec6f2e0ed9bb8d8836564fa713e882cf9bbf0d1e1dc7887072804578edd6af21b047d579f85f27bba733a20125fdd8

      Download Submit

    • C:\Windows\Installer\MSI8CA0.tmp
      Filesize

      389KB

      MD5

      377c83c6f0f37653ff911dc06e6c4274

      SHA1

      ce1e53b5bf0a220346ab7379b93c4341c24fdd8a

      SHA256

      c290a133b60220479acf0469781de847eb7e4a6b0c92de45ee9223be5e0ca769

      SHA512

      47bed026ef3d3e1a88a8cec3e0e2904029ec6f2e0ed9bb8d8836564fa713e882cf9bbf0d1e1dc7887072804578edd6af21b047d579f85f27bba733a20125fdd8

      Download Submit

    • C:\Windows\Installer\MSIDC6.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • C:\Windows\Installer\MSIDC6.tmp
      Filesize

      436KB

      MD5

      5788efa607d26332d6d7f5e6a1f6bd6f

      SHA1

      e7749843cc3e89bc81649087de4ad44c93d48bc6

      SHA256

      9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

      SHA512

      ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

      Download Submit

    • memory/5112-50-0x000002AEAF500000-0x000002AEAF510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5112-49-0x000002AEAF500000-0x000002AEAF510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5112-51-0x000002AEB01C0000-0x000002AEB0204000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5112-52-0x000002AEB0210000-0x000002AEB0286000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5112-53-0x00007FFE74700000-0x00007FFE751C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5112-54-0x000002AEAF500000-0x000002AEAF510000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5112-48-0x00007FFE74700000-0x00007FFE751C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5112-47-0x000002AE97100000-0x000002AE97122000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5112-102-0x00007FFE74700000-0x00007FFE751C1000-memory.dmp

      Filesize

      10.8MB

      Download