Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

swat4_spdemo_en.exe

windows7-x64

7

swat4_spdemo_en.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1797s
  • max time network
    1820s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swat4_spdemo_en.exe

  • Size

    183.1MB

  • MD5

    37cd68b32d7b95b85d289fc3cdab305c

  • SHA1

    fcbdf4786fb70832d02f78548ab20e9b7ea62d4b

  • SHA256

    30657b042364630a3bda4ebc7ef2f9ddf5837e0128b0332396df31cfbefefa1e

  • SHA512

    f593606c016fdd9a5c72c1cb6f9fa49a6f008439bd605a8c8d9812995197aaaf0c0c1cd94977e55361b561a20cf920491d1e4f996f1b356f8832bc5b0e07a992

  • SSDEEP

    3145728:VeO4XB8wYHiFMRX0Jkl2Je3nvCl6GfkZJAvK4WyuozvpOPh8Rr23ttI1htVC0BwH:gLXOwYHimXMkdv664kgNWGxOPh8kze8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\swat4_spdemo_en.exe
    "C:\Users\Admin\AppData\Local\Temp\swat4_spdemo_en.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2868
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A7AD5E8556204D5152A0DC497147C00D C
      2⤵
      • Loads dropped DLL
      PID:2292
  • C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe
    C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe -Embedding
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    PID:1092
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1372
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "00000000000003E4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f772226.rbs
      Filesize

      51KB

      MD5

      65984ebcecb4bae8505d1b8c95c83806

      SHA1

      7f84f45748fc064af33aedc7d8c8831af03fb06b

      SHA256

      6833327db09083feb948166bc8e3af59efeae414b509ce8e5d8bfd8f1b23e9b1

      SHA512

      4de5370696309bc3c2059a6eb4618f110057e98bb84dd476a1640509655789f7c31d7d43d10c99401fbab0263791fc509f2a1b454a042796a72483495e577cbf

      Download Submit

    • C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe
      Filesize

      744KB

      MD5

      a9d3658c5be72816812a5a32e4560ba3

      SHA1

      649003292ee74d2407fae441fb92b605a0d91f90

      SHA256

      b2527d1e2297506796f898e90907fb4c8c7e063f2898194e74152fa9ca21923f

      SHA512

      b80283aafbe8cd59720979d51a5524a1d53b001e59c6fe9693c754b238101ac6058122130e0be97ce22dc4f7edce9cd84aa4fde869bf728cff8fba1733638c5b

      Download Submit

    • C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IScrCnv.dll
      Filesize

      260KB

      MD5

      f6aabdf85821a9c61c61dec9408f40cc

      SHA1

      ddac695de73be7a67357aea89c7b9c2ca21fc4e1

      SHA256

      9ee23586d456db53d59fbaa8669e817461aeaf94f81237ead3f2c23cac8c40fa

      SHA512

      73d2e4352c4055c8d08ad5499fc4495ff6fa7613970f9c0a3cf73dae645fc9102e62cf9c7dd046d6bc3c909cbafd06a30812d1d9bcf8f34c4a253c09d628b538

      Download Submit

    • C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\iGdiCnv.dll
      Filesize

      176KB

      MD5

      afdfec6679ce99596261ff182afbe9e6

      SHA1

      3289711e3ce8bb72bd84bb0bc33f95d958648f4c

      SHA256

      81b931aaf908e1e372802db04dfbe5256209d488bfe88d58841fc13acadedfd6

      SHA512

      c8ce4617d03084f37b8766f0505922a8f380e0d2745658864197535c43c3b2f985c4a2bac2228752857782181cd41167bfa4b784c7ce3e8a94932d58d099753a

      Download Submit

    • C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\iusercnv.dll
      Filesize

      168KB

      MD5

      197c2ce7cf2a98ae895ece98d88b8245

      SHA1

      f734d8dc508138501e79b384fe1a689920c6ba93

      SHA256

      260924991dff4fbd2f691913007aee1f3136708671ef3309b4f9ec8687da6f1e

      SHA512

      a7ff5f0d56a13d340d9ec1b977f9e995bf7dc61f6bf4b8ecd7369793d39032a43e587146e6b9a9084be5a9cc709876bf971983a218c2af631d3950cd3391cd47

      Download Submit

    • C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\objpscnv.dll
      Filesize

      32KB

      MD5

      aba70b81a5811e7b140271595d66f06f

      SHA1

      42ef824151e67cf921d861d83872c9ef13b500e6

      SHA256

      26d4765c2461fccd669e455d33659397d6f82fe261ece256c3f19b831dcfa0ba

      SHA512

      8780d68124e309b8ec2dbbbac18be3291fefabfd6ed9154645eddfb4dd8076e2fda97168d7c5ea9b378b54ee900f75bd409736cfc1262e0d167e0ff62078de0a

      Download Submit

    • C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\ISRT.DLL
      Filesize

      400KB

      MD5

      db28ca3ba3c2045aa7b6e59aa9831c68

      SHA1

      55b44ea55f3a04b916339c81e1cc3f3db62d54cc

      SHA256

      ca41725fb64338211a9f9740f45f1b0c4d80e6c7e84a1d2e5580dcecbf87e489

      SHA512

      82c409611e61acad6b2986372ff72682e611b7ee5a88e74fec9c7864ce50c7494adba4165a44f2cc99b93daee33ad67320aed4fd5f85ef2fbc4779bf69f55efb

      Download Submit

    • C:\Program Files (x86)\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.DLL
      Filesize

      528KB

      MD5

      1c1332bf83f505cb60e06c76fe111cdd

      SHA1

      3c80e9bd5a41ac3f8fa129d61261ea07db29f801

      SHA256

      9602fafb7de17b14a3474c64944db928ef6c23e20935c0e82e918fa2447cc979

      SHA512

      bd7cb4113f5b6067c55e7df1f6dac6b4058a0bdc9b0e7d6875f1718bdcc84d315ea8a2d373a45c47c82326a74cbce41a508f493eac59db99f7cd5e4f33ac575f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI4470.tmp
      Filesize

      108KB

      MD5

      147c19d5e3eab8d42aee4c115b9356de

      SHA1

      33259c451d12ebf254fb10831f737bc9489dee04

      SHA256

      3086adadbf898a7f656223b3b6425e8fc9c8774f60883077500d1a378e731e71

      SHA512

      128c82534f36e6da35bc38b30ba14db4194138a5cb5405cc86c1e90e3bcb02a5aecb5831d6216c816bdd7830c0da1acbbd9feda84594782a3137885993cb5efc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_isDF77\0x0409.ini
      Filesize

      5KB

      MD5

      6c87581375d4e4789761b9833c2a1b4d

      SHA1

      310395fde36429b08b615831152399db7e4267a2

      SHA256

      43160e278e4302e378e754149c6394bc51d1969a7941687cfcc6c00b25151282

      SHA512

      ff499900dd9ae154825bb1b8a65f7c53367a4a75131ce1aa08ffbd0bbaae4d8e3a062455d74b8dce41fc89648bed33fb2ecd95e7ba57098caa7ca652f176dfd2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_isDF77\ISScript10.Msi
      Filesize

      875KB

      MD5

      f93a766e58d9c06b5cfd7c095fdd4b97

      SHA1

      d02e24a8c14bc127ff1cbac8ef7c43830142d0e0

      SHA256

      c00e1e874d0093112e898c615b0f81fa8a0974c25cf01638fe6acb949b1940ed

      SHA512

      65089a6b7a916716866192781af098b8939ad8ef5881abfafbfebc53fd747c3af5b2451668f4e60ca6c3c15eacf485e009c260e710ab934537c4d98ab67d3bbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_isDF77\SWAT 4 Single Player Demo.msi
      Filesize

      36.0MB

      MD5

      1195982acc01fea9eed121b7a003d8d1

      SHA1

      695c933b92228c9d17a5b53383b7a8ed2c922679

      SHA256

      ce04fc495c548643531d8a48f9b9ebddd7455d158e36d669d3e6716b00352b40

      SHA512

      7e790307a139fc05c164448af5aad0d0f0b1b88e9d2dd38f14b4b3b3dc82e8c3b2c4b7a9d86a74fd9ee659f3b4c1b608abfdd0bce46db61e30f0cd120673afbf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_isDF77\_ISMSIDEL.INI
      Filesize

      305B

      MD5

      89865e421fd9ca03d5d76e8fcd5c5f56

      SHA1

      1c8f6dd1a396b350ae30e480c1bea26d5718a84e

      SHA256

      c8f85362086cca87e1bf9275e5eb7fdece81f44a6e2b2a4571e8d3485930a138

      SHA512

      a097ef88271e474ed36415ab899f9d594b7e1693a10ec1e9a658a2c366d467eff8a686ca8f0d51c458f4b4e6dc882cf8aef501a37703b1b0904723f6aa0a86ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~CAAF.tmp
      Filesize

      1KB

      MD5

      84a8c974c59231a84e0c741db73ed91c

      SHA1

      6eed5b21dbf679b07a2ee03f81f22209d32f0738

      SHA256

      6a75ae4f99b43d18fbfee8d4e35908c9665ee8bf1d6be5059c405f0a2f133fee

      SHA512

      aa3698d32c0c1ecdbae41585940a801c899fbab93ed99bd06caf9dc5ebd11779ee024c0b52f138e75b2f580099457ebc1ada798c0de439402d3105c65998e999

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI4A98.tmp
      Filesize

      48KB

      MD5

      fa13aa9996fe8d85aa680e9f5e4f23e8

      SHA1

      cbc23243a9a595b6d91431c4c275c1ab2adc6642

      SHA256

      8f40c1dc28323a3c5310bf21372b9756ca547c20c7cf63197e071a9e1e66b31b

      SHA512

      9f4bd08583dbaadaec281d05d79c11a1dc1651d2d96cc4ecddd68e74178c3eec843e43bea14c546ba18b371177684dde0c21211e8fdb0369bbeeb5e31fdbe87e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\{F2CA85EF-D86E-4F4C-99E7-8ED7AA18E7B8}\_ISUSER.DLL
      Filesize

      256KB

      MD5

      7f7e52355174b392d84af36a422906db

      SHA1

      e3e541204d609b1094075898025f5e17cda8049f

      SHA256

      a657145af747382905b641d32627d33c5e0e635ab95909e37fefcf9e479ee89e

      SHA512

      a2db7824101bd9d9ee2548495bb52d07e9f1ee54ae6af0435afeb0dd713115a2636464a98171dfe4e0193315e86a811a926510ab74caaa3d915589085c1afd51

      Download Submit

    • memory/1092-173-0x000000000E410000-0x000000000E43C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1092-179-0x000000000F520000-0x000000000F586000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1092-184-0x000000000F6A0000-0x000000000F726000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1092-191-0x000000000F060000-0x000000000F08E000-memory.dmp

      Filesize

      184KB

      Download