Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
1AMASS 2.0/...es.rtf
windows7-x64
4AMASS 2.0/...es.rtf
windows10-2004-x64
1AMASS 2.0/...es.rtf
windows7-x64
4AMASS 2.0/...es.rtf
windows10-2004-x64
1AMASS 2.0/...up.exe
windows7-x64
6AMASS 2.0/...up.exe
windows10-2004-x64
6AMASS 2.0/...up.exe
windows7-x64
8AMASS 2.0/...up.exe
windows10-2004-x64
8AMASS 2.0/...on.pdf
windows7-x64
1AMASS 2.0/...on.pdf
windows10-2004-x64
1AMASS 2.0/...60.dll
windows7-x64
1AMASS 2.0/...60.dll
windows10-2004-x64
1AMASS 2.0/setup.exe
windows7-x64
1AMASS 2.0/setup.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
AMASS 2.0/AMASS/InstallationNotes.rtf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
AMASS 2.0/AMASS/InstallationNotes.rtf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AMASS 2.0/AMASS/ReleaseNotes.rtf
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral4
Sample
AMASS 2.0/AMASS/ReleaseNotes.rtf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
AMASS 2.0/AMASS/setup.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
AMASS 2.0/AMASS/setup.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
AMASS 2.0/LicenseManager/LicenseManagerSetup.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
AMASS 2.0/LicenseManager/LicenseManagerSetup.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
AMASS 2.0/Virus Scan Declaration.pdf
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral10
Sample
AMASS 2.0/Virus Scan Declaration.pdf
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
AMASS 2.0/msvbvm60.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
AMASS 2.0/msvbvm60.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
AMASS 2.0/setup.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
AMASS 2.0/setup.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
AMASS 2.0/AMASS/setup.exe
-
Size
140.6MB
-
MD5
0d8889f0d96f1564f8b990a297e48d1b
-
SHA1
40d540ada5a734c711ddc8e1967816041dcc60d8
-
SHA256
94c303148b663e9b069a4254d3a5d858bd14f173e0366053a1c0a076b49a1bf9
-
SHA512
71caa952272355f290293edd571a3cea4d76f7c29efee5c17ceba8f68c30f2540b2b56835859b3856b5affb6f1b9fedf734c86f454c006f0edfda9c72625a123
-
SSDEEP
3145728:eRFAvw1IEslZM6FCb9ymhlU8JxRiQtppxCAbWxeTbBJyVcAG09vvF34lMsZl:DiSFFCEmVJxcQRxdbWxGb7yakvyxl
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 setup.exe -
Loads dropped DLL 2 IoCs
pid Process 2364 setup.exe 2912 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2488 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2488 MSIEXEC.EXE Token: SeRestorePrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeCreateTokenPrivilege 2488 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2488 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2488 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2488 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2488 MSIEXEC.EXE Token: SeTcbPrivilege 2488 MSIEXEC.EXE Token: SeSecurityPrivilege 2488 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2488 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2488 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2488 MSIEXEC.EXE Token: SeSystemtimePrivilege 2488 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2488 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2488 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2488 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2488 MSIEXEC.EXE Token: SeBackupPrivilege 2488 MSIEXEC.EXE Token: SeRestorePrivilege 2488 MSIEXEC.EXE Token: SeShutdownPrivilege 2488 MSIEXEC.EXE Token: SeDebugPrivilege 2488 MSIEXEC.EXE Token: SeAuditPrivilege 2488 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2488 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2488 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2488 MSIEXEC.EXE Token: SeUndockPrivilege 2488 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2488 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2488 MSIEXEC.EXE Token: SeManageVolumePrivilege 2488 MSIEXEC.EXE Token: SeImpersonatePrivilege 2488 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2488 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2488 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2488 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2488 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2488 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2488 MSIEXEC.EXE Token: SeTcbPrivilege 2488 MSIEXEC.EXE Token: SeSecurityPrivilege 2488 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2488 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2488 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2488 MSIEXEC.EXE Token: SeSystemtimePrivilege 2488 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2488 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2488 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2488 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2488 MSIEXEC.EXE Token: SeBackupPrivilege 2488 MSIEXEC.EXE Token: SeRestorePrivilege 2488 MSIEXEC.EXE Token: SeShutdownPrivilege 2488 MSIEXEC.EXE Token: SeDebugPrivilege 2488 MSIEXEC.EXE Token: SeAuditPrivilege 2488 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2488 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2488 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2488 MSIEXEC.EXE Token: SeUndockPrivilege 2488 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2488 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2488 MSIEXEC.EXE Token: SeManageVolumePrivilege 2488 MSIEXEC.EXE Token: SeImpersonatePrivilege 2488 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2488 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2488 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2488 MSIEXEC.EXE 2488 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2364 wrote to memory of 2968 2364 setup.exe 28 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2968 wrote to memory of 2488 2968 setup.exe 29 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2504 wrote to memory of 2912 2504 msiexec.exe 31 PID 2968 wrote to memory of 1248 2968 setup.exe 32 PID 2968 wrote to memory of 1248 2968 setup.exe 32 PID 2968 wrote to memory of 1248 2968 setup.exe 32 PID 2968 wrote to memory of 1248 2968 setup.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\{10789B45-B0A7-4C24-8066-F2A69B14497A}\setup.exeC:\Users\Admin\AppData\Local\Temp\{10789B45-B0A7-4C24-8066-F2A69B14497A}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{10789B45-B0A7-4C24-8066-F2A69B14497A}" /IS_temp2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS" SETUPEXENAME="setup.exe"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{10789B45-B0A7-4C24-8066-F2A69B14497A}"3⤵PID:1248
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 241B6E2EB6BB5EC42232CF7129F45F46 C2⤵
- Loads dropped DLL
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi
Filesize1.5MB
MD5ee7a0d53f8e0161265397cbedef3df0e
SHA15572cf7bf1f789af5ccc91542e94301bb8e3020f
SHA2568b1fc861587476b5e1ee09ac9cee9efa220b5bae9f38f3a3e60c591d2137c5f8
SHA512cc4abc1adc5ee047cb439e7441edafc3c78cffcdf2cfca995ca5bdbd0a06ce4cb14758ae728928498ce70570e1a6673c92e15d59bf08dc248c0bd88485529f94
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi
Filesize481KB
MD5b3159c8050c82aa44ec6125dbdf7bfd8
SHA1f5ce47dab9c255bda8a3b3c23ab7314e318bca25
SHA256f123c165f58974cf935ee73949cc6446f205496ec054659959f73c51b20bd31d
SHA512fa6f08f8dfe1f5d081f42a7085f64d166d4130cf0d1b7c27c95ae7ae089665dea4923d3cfe28330b0917325786774a7b753cd49b7e3025f617053a1472fd0a72
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
592B
MD52e1ebab6bfd816996b5d2bfd2723d785
SHA1b086364c4fffecb1726b8ddc31095f4f5fd5f9f4
SHA25668bd603453d8cd97004ba774c7c3dc5d0cff22b33b7ab84773350a215d9cb7ab
SHA5121fc387c5f5f88ff12068db80396899ce322bd0be481fd2b30da2eb700f611b14af86d2f975531d55bcb4b9daaa2fe731edd28afbf31e9a786ef71c719c134ba7
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
3.9MB
MD59d7597e3b0aada6420261665f60b6454
SHA1383f2f5da705616b929a3258b078467cf90d60db
SHA256589ef0563142ff109e97314b377e56bbed37b1076c68636c74ea6c4d1b047546
SHA51272b0badb32b3f69ae4471d722dc7a08701a78d947817865a80c75025dccb876b1f81e3a85ae492f77eda807c68cea052d032080d00810bc2c511646b673ef642
-
Filesize
4.1MB
MD565394690de3154cb78fcbfdad7f87950
SHA18f82376f1dbbb2c8b025d218a4122a3690476284
SHA256cb32a08493fbff1588a522597b332331f3fd77c176cf9de69b5f58b56c3108e7
SHA512df4e3ac12a1d4d6a9b0ce904dcbcf5923dc4b57ada6c67b66ffaecd41ff4e38cd45c19a5abcedc74d2a10b5fd5c8d2de9f5f4e7c0c290cb1de82f4ed1c8c16fc
-
Filesize
5KB
MD5dd495e2afa525e1db9450d2de7fc4745
SHA122cabae8a286d26af8aea8ea1dcfb946a0d9de47
SHA2565425ac9206290d4bf84f8f49b442439bf44fe1bfdbbc18d7b486796261dce87e
SHA51248cc7ec3b2e7ceebd586a13b1b5782d3d26c49b17be482b2733ae6d82f213c2f6654b63a88a4bb1e7d4dc381793944f6cb2384afca83a415956aef3b3f8152af
-
Filesize
165KB
MD5b5adf92090930e725510e2aafe97434f
SHA1eb9aff632e16fcb0459554979d3562dcf5652e21
SHA2561f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b
SHA5121076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509
-
Filesize
5.9MB
MD5679d0e0b7eecd75c2857b42c81ef6a49
SHA103118ac4d52af684fdb8ea05cb42cceded73f32f
SHA25634d6fbcfba5e9bdad3c2ea8e85ecdd2930dfc955519ac17998ec9c9a66a661f6
SHA512bfb1af299263cc2d1bcf95e47a729753fbddab7e1f04099a86dc3e46853d6fc0174cf22574375c51ff5be64fe9f761e2528d3bf5e50c6bf5e1b6bc0e2ac4fc14