Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

TwingateWi...er.exe

windows7-x64

6

TwingateWi...er.exe

windows10-2004-x64

6

$PLUGINSDI...ck.exe

windows7-x64

1

$PLUGINSDI...ck.exe

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...er.msi

windows7-x64

6

$PLUGINSDI...er.msi

windows10-2004-x64

6

$PLUGINSDI...64.exe

windows7-x64

4

$PLUGINSDI...64.exe

windows10-2004-x64

4

$PLUGINSDI...eb.exe

windows7-x64

7

$PLUGINSDI...eb.exe

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    293s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TwingateWindowsInstaller.exe

  • Size

    81.9MB

  • MD5

    54be7fa22ab8bf77dd7f9b1f3edad379

  • SHA1

    68e91f755c007e6f0be6b1b81f72f0a9aa5fd46f

  • SHA256

    258c713562b0b18b8572a3d23c83d338b4c5cdb5fb421e47b78475ddd2cf7c06

  • SHA512

    41cc86a7298b6a3454e2368935fddb0645555f18894c32471b72bf5023410d7d858d68accccb6901cd174ae1f4c729864e1ba356a3a79e0dee857cdd62a82631

  • SSDEEP

    1572864:KYTufAs+mNKQHyPkQgM8KAsXNC3xCUH/3ivgHQeN0jRgXJN9HoRTFo0zS8Bw5rtY:KGDQHyPGM8CXU3Em/l30j65NSoqDy5xw

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TwingateWindowsInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\TwingateWindowsInstaller.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\NetCoreCheck.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\NetCoreCheck.exe" -n Microsoft.WindowsDesktop.App -v 6.0.0
      2⤵
      • Executes dropped EXE
      PID:1220
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /I "C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\TwingateWindowsInstaller.msi"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding E8FECEA996E0B628F8DCAA4C41C446E9 C
      2⤵
      • Loads dropped DLL
      PID:4068
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:4500
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
        PID:2476

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MSI4873.tmp
        Filesize

        143KB

        MD5

        9bfd64145dd0d1ddb2ca2ad9fdafb284

        SHA1

        52a6bb2fd4bc52d6362392125427ada2df84bfd5

        SHA256

        40556d398d350df55db2015fe539dd976ceb735fc9d19cd460565c678114ec69

        SHA512

        f858a7b61b5c98ccf134d4a33b93027928afd322828b222f4d48c1948b9f5a7ab1b8532db56490dc54e9c97d64bdb679b3a1dc1304ce7ebcce608647ac901b88

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\NetCoreCheck.exe
        Filesize

        142KB

        MD5

        5f6469960e0016d44be090160b889077

        SHA1

        114b94c1401d039903e5e8b11cacbb737230365a

        SHA256

        cb5714eb1f8b3938233823f465173c45ccef73e5b0ee122391853a3f2a305294

        SHA512

        a3cacbab7a8a2b0a914b2eb6043f20e60761dbedfefa12fa5353d326370c087845a9eed2024675284449bbcbb8510da72b8832114f003dd2473b45357cf5c670

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\System.dll
        Filesize

        12KB

        MD5

        4add245d4ba34b04f213409bfe504c07

        SHA1

        ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

        SHA256

        9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

        SHA512

        1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\TwingateWindowsInstaller.msi
        Filesize

        27.0MB

        MD5

        3974c25fcade33b85f27d2770ed5ff87

        SHA1

        13a04128d62654e53e6d2b29c6ff3205c717f189

        SHA256

        5c0292d6ae44e7fe2949a12170d820f7ee8fb091f508717a7c9bbddf876e97ab

        SHA512

        018a49d3183a43a54f185b0de55aefe8cccacf17fd5d7ddc65e937945c25cc9741e8c62177c2187002b58c8875d945093e1cd2859667efa50af46dbdb94065ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\nsExec.dll
        Filesize

        7KB

        MD5

        b4579bc396ace8cafd9e825ff63fe244

        SHA1

        32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

        SHA256

        01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

        SHA512

        3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

        Download Submit

      • memory/2476-72-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-76-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-67-0x000002355A180000-0x000002355A181000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-68-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-70-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-69-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-71-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-35-0x0000023551A90000-0x0000023551AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2476-73-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-74-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-75-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-51-0x0000023551B90000-0x0000023551BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2476-77-0x000002355A1B0000-0x000002355A1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-78-0x0000023559DD0000-0x0000023559DD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-79-0x0000023559DC0000-0x0000023559DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-81-0x0000023559DD0000-0x0000023559DD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-84-0x0000023559DC0000-0x0000023559DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-87-0x0000023559D00000-0x0000023559D01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-99-0x0000023559F00000-0x0000023559F01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-101-0x0000023559F10000-0x0000023559F11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-102-0x0000023559F10000-0x0000023559F11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-103-0x000002355A020000-0x000002355A021000-memory.dmp

        Filesize

        4KB

        Download