Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    87s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2024, 07:15

General

  • Target

    WindowsAgent.msi

  • Size

    28.6MB

  • MD5

    6285950894413022e257973b89be83bc

  • SHA1

    287e930cac8b1bbf40cdd56c85e9b52e97a8a6bd

  • SHA256

    30f991c5d2a6cc0456567c20cf32473a5ff173c4dc0f0ea7ba81c9a70801b051

  • SHA512

    3d995ca2af0da380b215b81d0cf69ea722589ae73c1526243c433459da6a0bedcb3e2b8a55a4a03b83967dfdd841841ca0f78d4782ce1d549ccec39d29f8c51d

  • SSDEEP

    786432:P0nSK22i0QPYKrVdWt3gpw5A1TqTwI1sDrS:cnxE0jK/WG+uTqcp

Score
7/10

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WindowsAgent.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3672
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C4ACCD1030AF595FFDD6F2D4F596955B
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1804
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:4972
      • C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files\nraccessInst.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files\nraccessInst.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4340
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files"
        3⤵
          PID:3160
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:4852
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

      Filesize

      471B

      MD5

      b94f30a5988e6f213c2a04302df21de5

      SHA1

      efc651a274263593eaef0df77dd9d32ca87e4ff3

      SHA256

      ebf623e188418efe9c820e145f0f86cb9f42d0ac7427c0e0d97019bb83e91a8b

      SHA512

      97ea3938ce4f61cd2c11dfb606c52689890e04d78e078e6ef86567a37fd3f635af2866d7f9904f3b0f16add005b301656f921acad74b2535add63e7a306fddea

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D23A670108001603BCDD132336F19794

      Filesize

      727B

      MD5

      cebd6a3ee89ff5fcb3403f5a85f158ec

      SHA1

      da5af6a83663b226a609094c1bc716ff083fc78c

      SHA256

      f15b2b2b7bb36714c4ab3b0546f57ec594a542268a53a78036d22b82411f7fc7

      SHA512

      cf154021928b932fb39d78d514d61540a4b79ce4df31ce5d81d33d8abb451899617daa107fc73e6abc5319e795864f1259b0c11341839232316b534cf6965e3e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

      Filesize

      727B

      MD5

      07be3d60b7ed629c615e368656d1583e

      SHA1

      c60121ca1b0161eb87bb1c5d6b5a415d022505b1

      SHA256

      5777fab5a9d0fb429ab73cde719e68ce168103392305aa5af2864d904febe6ad

      SHA512

      3c8d54a4c8599cc98e370033733a948cda09362337ebe00c97df158a0f5f8b6cc79de0a088bbf9308b15a38cebe51295402519d03bbd0f305c0cc8a69152c888

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

      Filesize

      400B

      MD5

      9324f156e2e254200a093210761b0e5f

      SHA1

      1d84af1f640e8e66ac36c6fb3a0dbaf4da4972e2

      SHA256

      826e9eeb88307fcaebdc5909245c4b1ffbda8dd48ae043bac0a7baa3598cba6c

      SHA512

      68f08efda0e136c93e654afadec876023cc028b291a9be99fd2dd752e04814d1790092bf2cbe55ddb0e45b9a8818493a4b3c3e5a0cf168399fae5da7e744d6a6

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D23A670108001603BCDD132336F19794

      Filesize

      404B

      MD5

      66d53fee48d9f1de9ff2cfb4ae15726e

      SHA1

      3a9992a5db29b72f767654b13df06b6b503be2a4

      SHA256

      1e4e5756772789f9b8a5acacb7b0e81793c727312a6fb21ffbb3d63581fa39e6

      SHA512

      ba1b730b71ba9e98ab652ea6bc3b57ecff23a094a144eae5b9aa49b8f217e1ae3e4d8aed7c1aab6d318d81892d38ef81b4a694ae6dc35efa5840d1179aa01dd3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

      Filesize

      412B

      MD5

      81499a7c998f1ce59617e200a9f69744

      SHA1

      f49292acc2839c3989de7ca8fbef064765937621

      SHA256

      bcf53ee09186181dda474362a644eb7758c82853ddf650ceabcc3e45a8b8a6ad

      SHA512

      2f1601b9ccc489bde846bfb017646bb6b283e29fe79d1c5d04602b9f5ea601f352cbabcf14c2374f7feca46dd5d0c2c605522a373210af6dbc37af09848fb5b5

    • C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files.cab

      Filesize

      5.8MB

      MD5

      3487d5460835b643f5f695e927eb5486

      SHA1

      0c5393e2f4fb7fd3a007986b0ef1e33f64512687

      SHA256

      05c1c8d252d60cda67eb3287913da7d6f96bdb47d546445fa8f4d12ad1fcb8f6

      SHA512

      67c0c29853443f17a483c4adfc7e784ed8ded824475eb48a7168bf0e38fc699018e5b92a6aa2d23704d26f74462553930604dbe3173e53e3771fbf579ec00403

    • C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files\nraccessInst.exe

      Filesize

      166KB

      MD5

      2c6d72070b1786844ed2bea951baf9b9

      SHA1

      7598082d20252d152ff992705a52b18674446b59

      SHA256

      add28882b0c2168e3fdc854bd00b383398b2398df2c0ca8081baafddbc03b3a9

      SHA512

      9f15cb9ccd08e69d6eee61256ec1fab8dd66f0b1887860c4c1b46de8ef6a40135821b394e75296c8d8ae7cab0c1962773c73c8240d230ec733e7e11ea53fe8e2

    • C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\files\nraccessInst.exe

      Filesize

      7.1MB

      MD5

      3c6dd0c233e0cbbf2097764568a2eb19

      SHA1

      d5312739e78652a57014d29837e0dc8ef72f2052

      SHA256

      96cae73f53a9b793467425168df7441c982724b09ed763f1efe2cfc596dc55c0

      SHA512

      d2d34b00b1a02b89deb13e3c1c64d430c1b79c439074cc52cb08f6d96a67dfaaba906dec3d02fe976802f573175caba59ef72c1cffffcb220df88ace40fc2fe8

    • C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\msiwrapper.ini

      Filesize

      1KB

      MD5

      683f15367a294190e88d53d5b947aeae

      SHA1

      0f3557659f37fab40f20aed43a1839b7e658b3c2

      SHA256

      6d01b6c4b4578158b27720fbdf2712e85898d2bb4af6a3ba7d8fe4b6efb3f674

      SHA512

      8de9cfc553813cb7acd7fd0166759c94db95c4035ad86f42ea446723d75093b7ee624652c44be54f3db9ea0495880e63ee6d597fe5e5e4f04bc04bcf8eff3d88

    • C:\Users\Admin\AppData\Local\Temp\MW-84bd4d36-041b-4d41-8dec-4513f5345a1f\msiwrapper.ini

      Filesize

      1KB

      MD5

      19755cfef4625f083ac06857268c38b1

      SHA1

      859b5d244ad11e9d838c15feccc39ac90fe224f2

      SHA256

      e5fa507bb8cb85f8d2c9ab476a1779b8ef94535d3e569aa36081fa8192ba887b

      SHA512

      d29fcc1fb182729eeb41f39e7331e672292991cd09944f57e53212ce62b5cf422ebd50b80810943c71e8d5058be8d04dce507060e8bade23d0aa5ac7238db3c5

    • C:\Users\Admin\AppData\Local\Temp\nsw89B4.tmp\System.dll

      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • C:\Users\Admin\AppData\Local\Temp\nsw89B4.tmp\UserInfo.dll

      Filesize

      4KB

      MD5

      7579ade7ae1747a31960a228ce02e666

      SHA1

      8ec8571a296737e819dcf86353a43fcf8ec63351

      SHA256

      564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

      SHA512

      a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

    • C:\Windows\Installer\MSI804C.tmp

      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.0MB

      MD5

      dc8127c27f05ed4d7426ee499199e3d6

      SHA1

      585657cc8789e79a7f6f36e2531534a7114e6d5e

      SHA256

      707e78e3faac4c6a07fc8c399b99e383e453657ad94596c8c6d57c3112c02a57

      SHA512

      d737382a255f3a8c9039c82d17e20fe17593ab323b666a71782f3dd8c6f9a1de0662e70f88c0da349c01b076b141237eb04e69a8e409817a8a02877882a1bd76

    • \??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9e0bcca5-0000-4478-806f-59c1e9f08921}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      5eab00840811481593f0830c04d228fc

      SHA1

      712a60dc6ba63912996914a389604af5ee45596d

      SHA256

      27cc3706deef740aca04a84c365bf9c25fd14169bd4fcfcd4c3fba4c8424e007

      SHA512

      e6e35ba0f8a15189eead1f149554807230dcf4b0512bc89f861e49948476c6c50129bf0bc5453a011a503a4203dd6b0c06e08c93a1b6e6e023326c33a7a05a47