Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    42s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/03/2024, 11:51

General

  • Target

    f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca.msi

  • Size

    1.8MB

  • MD5

    50515f156ae516461e28dd453230d448

  • SHA1

    3209574e09ec235b2613570e6d7d8d5058a64971

  • SHA256

    f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

  • SHA512

    14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5

  • SSDEEP

    49152:ynV9R5GSuwYgV4mN4eOYq4Z0APsx/Eho:ynV9Ro/mTlbqC04s/

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 26 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca.msi
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1632
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5036
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:1340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57f425.rbs

      Filesize

      26KB

      MD5

      1199c62ac6abe91d1623cd5c8ace3d2e

      SHA1

      798c9d6beb024fb9a6668192f00a0f0acd72015e

      SHA256

      9527f7443d40b47a429d5c0e382c1e0302e9f0e874a97f3e41c9117a41517648

      SHA512

      337fdff3e7a29ec38c71ffa582f51ff39d39967c8181f08574d2e044a7eca7dc456ea64ae3bfbf08598476fd345ae4c059dc1c02f52358630db0969e2939d2f5

    • C:\Windows\Installer\e57f472.msi

      Filesize

      1.8MB

      MD5

      50515f156ae516461e28dd453230d448

      SHA1

      3209574e09ec235b2613570e6d7d8d5058a64971

      SHA256

      f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

      SHA512

      14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      19.6MB

      MD5

      68d22b0539b724415de9ec3c23b68a74

      SHA1

      1c69d5b1781859610457a21f5b9770b2859d5c31

      SHA256

      9a86168b5f8938f3ab40c077490f038a4b2e228cf1b3018cd86ed5e6ae1500cb

      SHA512

      67f17dc4a6886d342d66bcb3eaa0e9dca50116632df89b553a9879b276f118d7d56354f0fc0944345a7393a90c9f78f8d1859b8333841b8b04a9394709c63854

    • \??\Volume{d468bc4b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{95fe753f-3174-4857-a0c4-ba9d413eae8c}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      5fe20f42ec29e5b8e06f6d14e2968227

      SHA1

      57ed0bbcc46601a634a4ae569227bf154da4bfc7

      SHA256

      5babc30e808c597265f3943007ba5101ba4c247f7339562ad2beb7ceda9d96ff

      SHA512

      431d8b82610a7804d232c94271ea175cbb9f62e309d216e50f0a706eea4e016950f42a455b649457bce8f980e17d4f75e8cc3b924c7e076912c99980acbab319