Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/01/2024, 04:17

240111-ewj4tsfcf9 7

11/01/2024, 04:09

240111-eq4laafbg6 7

10/01/2024, 02:48

240110-darq4scdbn 7

10/01/2024, 02:33

240110-c2bcrscbfl 7

10/01/2024, 02:10

240110-cls8msdaf5 1

10/01/2024, 01:31

240110-bxfw1scec5 1

Analysis

  • max time kernel
    172s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    11/01/2024, 04:09

General

  • Target

    mal.zip

  • Size

    4.5MB

  • MD5

    15a36183a2d2c4a43f7f203548fbcb04

  • SHA1

    3ce2a3904eeef714abec465b55a0c20f6e47b079

  • SHA256

    ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345

  • SHA512

    67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f

  • SSDEEP

    98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip
    1⤵
      PID:4520
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4788
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
        1⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1952
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 5EC4A117604576844B25538328EC98BF
          2⤵
          • Loads dropped DLL
          • Blocklisted process makes network request
          • Suspicious use of SetWindowsHookEx
          PID:1628
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1044
            3⤵
            • Program crash
            PID:3828
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 651D85CAEAE1B8C1147B8FDF176079F5
          2⤵
            PID:244
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 1052
              3⤵
              • Program crash
              PID:1772
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 7A71BBDA08A5C2D3D986276E8D0D9CDB
            2⤵
              PID:3292
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1044
                3⤵
                • Program crash
                PID:2528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1628 -ip 1628
            1⤵
              PID:1544
            • C:\Windows\System32\msiexec.exe
              "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
              1⤵
                PID:3932
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 244 -ip 244
                1⤵
                  PID:4052
                • C:\Windows\System32\msiexec.exe
                  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
                  1⤵
                    PID:2632
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 3292
                    1⤵
                      PID:2680

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\Installer\MSID8F1.tmp

                      Filesize

                      554KB

                      MD5

                      3b171ce087bb799aafcbbd93bab27f71

                      SHA1

                      7bd69efbc7797bdff5510830ca2cc817c8b86d08

                      SHA256

                      bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

                      SHA512

                      7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

                    • C:\Windows\Installer\MSID8F1.tmp

                      Filesize

                      93KB

                      MD5

                      4dd7d13bf96ba74f8dcae2e35b88d14b

                      SHA1

                      93a4b897c6d997e9fb5b581e7e28ad96ce55f3f3

                      SHA256

                      0cd646e17b2c73ff124d381619c93df27edc91f42992210b7b278ed67793bbfc

                      SHA512

                      a9529638f88f7ab0469b8c5eddda0bb66a453b258803570480fea3acff97608286f9bedc2ebef29c5706c8113a6343b698ef38d5a9e517a1b8683ac6af83bb5b

                    • C:\Windows\Installer\MSIDA0B.tmp

                      Filesize

                      92KB

                      MD5

                      6ab8165d3c4a3d66ad885dbd54adcb9a

                      SHA1

                      3ac08ee55156d1face02cf6d6223b3c7497774ac

                      SHA256

                      cc38aedbb568784f89c4251e28de7a8b351954878792ee1945ef13e0faa26e05

                      SHA512

                      07b0fb099faba14b0b9af72ca3fce1179cef284680feb611ff9b1f98c0dc04c2b884bcd6a91ab791ecc2e720aac24025942d72cb3abbcd40a3a98f497195d46c