Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/01/2024, 04:02

240111-ematssfba6 6

11/01/2024, 03:40

240111-d79yysdhcq 6

Analysis

  • max time kernel
    219s
  • max time network
    237s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    11/01/2024, 04:02

General

  • Target

    RebornInstaller.exe

  • Size

    100.6MB

  • MD5

    9813c03f3b82d1186378164e77cda452

  • SHA1

    67ae5bbc33a00318e50c3a55b3994a7dfab8beee

  • SHA256

    560a3d3cbd8df41cfa82df18f18af9d4ff8dbe05ca1cb044457b94c23386fcd0

  • SHA512

    c5b8d9d6b6547cb12417bbeefccb5d8bece105fd68ac9bf639c0883d00b8c131fc10a7de4d44c55c7088966e4f2e023f06f519c9d22037124b97014e929e0de4

  • SSDEEP

    3145728:/WVWbmcXONa59sar9okKjKzQAgLmgQfD:OQbHOA9NrrBQRaD

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Loads dropped DLL 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RebornInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\RebornInstaller.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI5D3E.tmp
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4344
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6465C53CB2488B124D0644999AB656C7 C
      2⤵
      • Loads dropped DLL
      PID:4712
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    PID:3980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI5D3E.tmp

    Filesize

    74.2MB

    MD5

    cceafa9a96d517f6950fc90ceaadce46

    SHA1

    c625f8565e75c8022c67858c6bde2bb52bac8a89

    SHA256

    204d0ea8ff729c8cc839d2ef12e23601b5ee47ec85e8f8bb037c2b7c9ea68068

    SHA512

    a2f986e638be472c99bbaaaddcff7b20214250a60b38faa414a940e5e41a440c43dcb451ac6ddbb2669b825e964730bff48beadcbdf4a17296671d631a021237

  • C:\Users\Admin\AppData\Local\Temp\MSIACE5.tmp

    Filesize

    113KB

    MD5

    4fdd16752561cf585fed1506914d73e0

    SHA1

    f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

    SHA256

    aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

    SHA512

    3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600