Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

d6a0ec474c...2e.msi

windows7-x64

7

d6a0ec474c...2e.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2023, 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e.msi

  • Size

    309KB

  • MD5

    c9d54906e576c720fda1e23871435615

  • SHA1

    b5ecb6f22678599320b29c67e3517981ee991634

  • SHA256

    d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e

  • SHA512

    cf6a1d155429f48cdb8f5aaf23b086c5ac48588ada49184941b00fe9a7fad8f3f1413c48c74dc9ee39fcced57a1becfe7a02abd2ce09f48e5e67e9c3b4676935

  • SSDEEP

    3072:1kxU0X04E6DG963DjY5AFwgz88ereWn/7w05g0ZCHbfIdn7k9uGkEp29wybtE7r2:1AIK3DjY5AQ8er1nzTubfIoZJ

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2816
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADAA761B81A1DD91512ECF15D01724FC
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Blocklisted process makes network request
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Admin" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\68c9g4uÆî.exe C:\Users\Admin\AppData\Roaming\Microsoft\ C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Admin" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\68c9g4uÆî.exe C:\Users\Admin\AppData\Roaming\Microsoft\ C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll"
            5⤵
            • Adds Run key to start application
            PID:1216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f765287.rbs
    Filesize

    8KB

    MD5

    b2ac4a0630a46f7e757d244e47703ed3

    SHA1

    7d6e1bb0835e587d11fc73f5625866ab53e0dbfa

    SHA256

    1082adc84f9ea91803f67115a9f12e5ba6e8e554311682f4c01e62570f1c37e9

    SHA512

    5f5cfd01010c9235c6cbd1bca1a99ab4fd0a9454ab429319d1148d3ccabaad93db48195f7c60c55bb3472c655243f634b0ec6050969976a8e254b12f2d22e42f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MICROS~1\ggZFtt.zip
    Filesize

    12.4MB

    MD5

    c1ad4f8e1f8c14da4b3b22cd187c9704

    SHA1

    1201117ab8990c5d79ac9d3f2ca6d9f0b957819f

    SHA256

    00795d2dc7e3d6e7ff750cba12f6c7d88b5f1c49ee40c667872c9f02a5639a66

    SHA512

    cf581060d9a224c13e61dd4758a61dd19d6f47bc2c22686fc00712e6258a3e51f43f4baf4f104936e13b4a92082dfae69fd364e060a2ef46a5197b1220f84db9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll
    Filesize

    12.3MB

    MD5

    b053388436b2d35b80e8537c7b4d001d

    SHA1

    97454140927cd2b90be7eabd8985f6e7513e021f

    SHA256

    015ffb119b8b8a7817530aebca60de86af553b40639d67de6962bd658e586429

    SHA512

    053c0d42a73fe081d9f40a227ec30f82e6e4cd082a9cffbbbc90049c73cfed61c5143083e6fa0d4ede6d54ae2b3b7df34d0fe09d3b501ab0962f872500096c52

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    Filesize

    602KB

    MD5

    d5124f98199f99af52ab19b23d8e8971

    SHA1

    25311bb0f9a8e8ad23c691ae2118866091d56867

    SHA256

    aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

    SHA512

    c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    Filesize

    602KB

    MD5

    d5124f98199f99af52ab19b23d8e8971

    SHA1

    25311bb0f9a8e8ad23c691ae2118866091d56867

    SHA256

    aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

    SHA512

    c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    Filesize

    602KB

    MD5

    d5124f98199f99af52ab19b23d8e8971

    SHA1

    25311bb0f9a8e8ad23c691ae2118866091d56867

    SHA256

    aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

    SHA512

    c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

    Download Submit

  • C:\Windows\Installer\MSIA3ED.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIA4B9.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll
    Filesize

    12.3MB

    MD5

    b053388436b2d35b80e8537c7b4d001d

    SHA1

    97454140927cd2b90be7eabd8985f6e7513e021f

    SHA256

    015ffb119b8b8a7817530aebca60de86af553b40639d67de6962bd658e586429

    SHA512

    053c0d42a73fe081d9f40a227ec30f82e6e4cd082a9cffbbbc90049c73cfed61c5143083e6fa0d4ede6d54ae2b3b7df34d0fe09d3b501ab0962f872500096c52

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    Filesize

    602KB

    MD5

    d5124f98199f99af52ab19b23d8e8971

    SHA1

    25311bb0f9a8e8ad23c691ae2118866091d56867

    SHA256

    aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

    SHA512

    c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    Filesize

    602KB

    MD5

    d5124f98199f99af52ab19b23d8e8971

    SHA1

    25311bb0f9a8e8ad23c691ae2118866091d56867

    SHA256

    aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

    SHA512

    c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    Filesize

    602KB

    MD5

    d5124f98199f99af52ab19b23d8e8971

    SHA1

    25311bb0f9a8e8ad23c691ae2118866091d56867

    SHA256

    aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

    SHA512

    c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

    Download Submit

  • \Windows\Installer\MSIA3ED.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIA4B9.tmp
    Filesize

    91KB

    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • memory/1324-93-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-106-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-90-0x0000000070D70000-0x000000007239A000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/1324-94-0x00000000779B0000-0x00000000779B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-86-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-92-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-96-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-98-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-99-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-101-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-103-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-88-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-108-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-111-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-113-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-121-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-118-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-116-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-123-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-124-0x0000000070D70000-0x000000007239A000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/1324-126-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-131-0x0000000070D70000-0x000000007239A000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/3012-14-0x0000000000910000-0x0000000000912000-memory.dmp

    Filesize

    8KB

    Download