Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Setup.msi

windows11-21h2-x64

8

Analysis

  • max time kernel
    36s
  • max time network
    48s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/03/2024, 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.msi

  • Size

    8.2MB

  • MD5

    cbcfe09907e07db5378203b6564dfd5e

  • SHA1

    de589ac64d8890170474751cb5caf693fb89cea6

  • SHA256

    f1cf69925bdeb7f269858cb9f83cb7322a5478b4c81cd4a55e211186b7961331

  • SHA512

    9cf82950cf04774dabe555f18c6566aea7eddcffee821398118f48e4add8acd9cca3656a856a5eab47d0d82c8b6b770fdd0a414acfeff7cd174b51e5516cd0f1

  • SSDEEP

    196608:/ITZXrMtwD/FK9IGRXCL2Q0pyHkiDoCsJd/GHqtpLxBWzt:/uJMtC/dGRybkaoCid/NFAt

Score
8/10

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 4 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 62 IoCs
  • Drops file in Windows directory 22 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 29 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies registry class 11 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3764
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4780
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding B2A0CA96A0E78C0D9F4FF701007B1D51
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3480
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 7E06F32BF15C6AF05626EAECCFCC1099 E Global\MSI0000
        2⤵
        • Manipulates Digital Signatures
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1472
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI67C5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240674750 53 WixSharp!WixSharp.ResilientPackage.WixSharp_CreateResilientPackage_Action
          3⤵
            PID:4812
        • C:\Program Files (x86)\Betternet\5.3.0.433\tap-windows-9.21.2.exe
          "C:\Program Files (x86)\Betternet\5.3.0.433\tap-windows-9.21.2.exe" /S /SELECT_SHORTCUTS=0 /D=C:\Program Files (x86)\OpenVPN
          2⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Program Files\TAP-Windows\bin\tapinstall.exe
            "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
            3⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            PID:2808
          • C:\Program Files\TAP-Windows\bin\tapinstall.exe
            "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
            3⤵
            • Manipulates Digital Signatures
            • Drops file in Windows directory
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            PID:2244
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "1" "c:\program files\tap-windows\driver\oemvista.inf" "9" "4d14a44ff" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\program files\tap-windows\driver"
          2⤵
            PID:1596
          • C:\Windows\system32\DrvInst.exe
            DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000154" "6bc8"
            2⤵
              PID:4736

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Betternet\5.3.0.433\Betternet.exe
            Filesize

            1.4MB

            MD5

            ec6791aa237a3b48e8845ae88ca0e147

            SHA1

            ca2eb22fb0af6d286d8a0cac9c390f49f301d84a

            SHA256

            56278c97cebde49b2854bcc13d5f0898b61a8470f88465fa610e3ca4255bfceb

            SHA512

            412bd0613336de285644edb70fb464b3a8e0b1c1d84c6e479beb99d55e13630ecfe98dd1f6b78dd266afedc279960ea525a6d4ed87963886d4d36747c7ef172a

            Download Submit

          • C:\Program Files (x86)\Betternet\5.3.0.433\tap-windows-9.21.2.exe
            Filesize

            250KB

            MD5

            47fa5f0670cf191d066e5dfbf4f4ee70

            SHA1

            db9d441c209fb28b7c07286a74fe000738304dac

            SHA256

            645bee92ba4e9f32ddfdd9f8519dc1b9f9ff0b0a8e87e342f08d39da77e499a9

            SHA512

            514f0dd1b7d8c4aad5cc06882a96be2096e57eb4228df1d78f2bcc60003af8ebc057cce5eedda9b8a2dc851a52895c0a4b07556b4535271767817d9ea45e0713

            Download Submit

          • C:\Program Files\TAP-Windows\bin\tapinstall.exe
            Filesize

            90KB

            MD5

            d10f74d86cd350732657f542df533f82

            SHA1

            c54074f8f162a780819175e7169c43f6706ad46c

            SHA256

            c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

            SHA512

            0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

            Download Submit

          • C:\Program Files\TAP-Windows\driver\OemVista.inf
            Filesize

            7KB

            MD5

            87868193626dc756d10885f46d76f42e

            SHA1

            94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

            SHA256

            b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

            SHA512

            79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsl600E.tmp\System.dll
            Filesize

            11KB

            MD5

            c17103ae9072a06da581dec998343fc1

            SHA1

            b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

            SHA256

            dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

            SHA512

            d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsl600E.tmp\UserInfo.dll
            Filesize

            4KB

            MD5

            7579ade7ae1747a31960a228ce02e666

            SHA1

            8ec8571a296737e819dcf86353a43fcf8ec63351

            SHA256

            564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

            SHA512

            a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsl600E.tmp\nsExec.dll
            Filesize

            6KB

            MD5

            acc2b699edfea5bf5aae45aba3a41e96

            SHA1

            d2accf4d494e43ceb2cff69abe4dd17147d29cc2

            SHA256

            168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

            SHA512

            e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

            Download Submit

          • C:\Windows\Installer\MSI56A8.tmp
            Filesize

            287KB

            MD5

            35fb71dc75736a402f4a7300b2ac88ce

            SHA1

            3f0ad653b2df2cdbc58d6786cc39b0745324c9da

            SHA256

            097ff79cb72ac1dd5eaa4c68b96a7cf8574a1098c74d3cbd16e629194afb2125

            SHA512

            37bfdee7a69249ff07aa725ad46c9ffa3cb88483eb8f16568489e1f6328019654634b9eb48436b059bcb954044a433365c63b47bc0b7d5b27d7ee052df48d687

            Download Submit

          • C:\Windows\Installer\MSI5968.tmp
            Filesize

            202KB

            MD5

            ba84dd4e0c1408828ccc1de09f585eda

            SHA1

            e8e10065d479f8f591b9885ea8487bc673301298

            SHA256

            3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

            SHA512

            7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

            Download Submit

          • C:\Windows\Installer\MSI5D72.tmp
            Filesize

            217KB

            MD5

            d951120b8d8fc26af02ac12d8d1bb49c

            SHA1

            2ca505bedae365aa3e18c8c7a376cf4bdb1011fb

            SHA256

            820a600ec8a0b4a5889bf1224284d72b8a1ce9796a9cba1d182eb16935c11035

            SHA512

            00e1fce77d8a57eeeb83b3994269d02679b340f22d38978a6ca0193685dfb60d348c5c6fa97416e80bf86eeb2f18670188900dd7aa46007466df812e30830a7e

            Download Submit

          • C:\Windows\Installer\MSI67C5.tmp
            Filesize

            359KB

            MD5

            027ca55b020e706776e14c2033ac7ac0

            SHA1

            0aec64fb93da137a97ea2af86eb48098da417f31

            SHA256

            0c88851abaa2aec70cceb4ccdb41cdc306bfa73d827c17a04e481d21b18653e3

            SHA512

            326d2ad01884de75359c88c6a568c4367092f20b6cc332b0c2e583a03c22c90827442a08b289f807b61789afde80235aee0d6828587d6004d86f2bcd54be1678

            Download Submit

          • C:\Windows\Installer\MSI67C5.tmp-\Microsoft.Deployment.WindowsInstaller.dll
            Filesize

            172KB

            MD5

            5ef88919012e4a3d8a1e2955dc8c8d81

            SHA1

            c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

            SHA256

            3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

            SHA512

            4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

            Download Submit

          • C:\Windows\Installer\MSI67C5.tmp-\WixSharp.dll
            Filesize

            364KB

            MD5

            d602548c03ae9d7e3aff54043de98c0b

            SHA1

            b9159c2b7c940eb1f1fe7742f43650d25c27ca7f

            SHA256

            e1a73519c3f6dd962371edd68d4d7c85464c711c5503272aa85cdc00ca5a1890

            SHA512

            8fdb5bdd66582943cc34f7d3aa8629b534907d982237a88721dad1a1f79dc7ccefab689782795c2f73846507abfa364bb4034879c22f6e9cda603a5ef0f7335e

            Download Submit

          • \??\c:\PROGRA~1\TAP-WI~1\driver\tap0901.sys
            Filesize

            26KB

            MD5

            d765f43cbea72d14c04af3d2b9c8e54b

            SHA1

            daebe266073616e5fc931c319470fcf42a06867a

            SHA256

            89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

            SHA512

            ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

            Download Submit

          • \??\c:\program files\tap-windows\driver\tap0901.cat
            Filesize

            19KB

            MD5

            c757503bc0c5a6679e07fe15b93324d6

            SHA1

            6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

            SHA256

            91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

            SHA512

            efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

            Download Submit

          • memory/4812-226-0x0000000002B50000-0x0000000002B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4812-224-0x0000000002BF0000-0x0000000002C1E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/4812-225-0x0000000002B50000-0x0000000002B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4812-227-0x0000000002B50000-0x0000000002B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4812-219-0x0000000073B00000-0x00000000742B1000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4812-231-0x0000000004FF0000-0x0000000005052000-memory.dmp

            Filesize

            392KB

            Download

          • memory/4812-239-0x0000000073B00000-0x00000000742B1000-memory.dmp

            Filesize

            7.7MB

            Download