Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

9f8f58faad...d0.msi

windows10-1703-x64

7

9f8f58faad...d0.msi

windows10-2004-x64

7

9f8f58faad...d0.msi

windows11-21h2-x64

7

Analysis

  • max time kernel
    1800s
  • max time network
    1605s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/03/2024, 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi

  • Size

    2.0MB

  • MD5

    ebae9b70769458cf723022ec89b95c32

  • SHA1

    3d3135b87fe274988b86f50d24bde82cc08556bf

  • SHA256

    9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0

  • SHA512

    3550c281fc8dcd8078caf6c0cef847280d6ec78216b0e018b01942e82c79499538f3a0553409e3c716edf584ff5c359ce991440bab14d4794f6ae3393788a102

  • SSDEEP

    49152:J3osY5A6b4ms+4UhbrMizYiRpb2mN3rm999OhjY:hY5A6bDhbrfzYiRNdm+

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1844
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C4A132E127414629DFD892DB272ED36E
      2⤵
      • Adds Run key to start application
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\ProgramData\13Wa0MoQ.2R4\13Wa0MoQ.2R4.exe
        "C:\ProgramData\13Wa0MoQ.2R4\13Wa0MoQ.2R4.exe"
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4972
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4156
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57ecd4.rbs
    Filesize

    1KB

    MD5

    645ca4a748c00bbbf9a62b87432c1bf8

    SHA1

    2589b886581f6535378b0d5d6160c1fe531157b0

    SHA256

    c402d12c61953a37869bf0934d62db23fa160c27eff59698fff21436ad4de53a

    SHA512

    dde77b63bee91fcaf942eec73a25f5ac2feeb796224048dcf466dac5c1556572b3026d5c69e78369e5d5fc6e230ec4a94aaa4f1483d058e0f732c3d1566f00cf

    Download Submit

  • C:\ProgramData\13Wa0MoQ.2R4\13Wa0MoQ.2R4.exe
    Filesize

    35KB

    MD5

    82b7adefbf7fbc0a0fd2aa1d50845812

    SHA1

    7220b3ccf363c81a875adcee16e2f3d2a3bbe864

    SHA256

    374401e920e2173d088391889c81910c86c5112c5a7e7b5883d84a3cf12f28e0

    SHA512

    cadaa1351d855bf721c8c2fce93cffb0c77fc25c39546aec8de3567a0d0a797b6d41617947dd294955736aad92af3b166c96871a02328e782be67905b42de651

    Download Submit

  • C:\ProgramData\13Wa0MoQ.2R4\13Wa0MoQ.2R4.exe
    Filesize

    97KB

    MD5

    a61faca7411cebd947b4f1e00dba6d08

    SHA1

    fc1b4587990a792c32b113451197354f942b82d5

    SHA256

    db57fbf86c8306809673be5850779b2dcda94bd8c36047840e27175cd30c257a

    SHA512

    463e7da3b042adfcc4fc7bd5a8bf8df44375ec8adc4320dbfffeeb98e6a33c2337991d8e644eabb98c5a87a1e13a3636e9f03e4cad2b72ef23d7c0f5676bcc2b

    Download Submit

  • C:\ProgramData\13Wa0MoQ.2R4\LOG\13Wa0MoQ.2R4.exe.DEBUG.log
    Filesize

    949B

    MD5

    5694649b8af1addb38df9f39581d68a2

    SHA1

    adef9900b80817507faa0c8dc3103918e3f7a80c

    SHA256

    7c69d49933b279430468cff75b0d3e8cc24648a425b2cb045fe87bd3074352b4

    SHA512

    3213e14a60f37dbe009d16a111ad8b1946e71c2f77e6adcf8f9048e574108e054cf552515bc40acd8f86d870b396c3e1168b9ea893ea5ced4ca97d12dad448bd

    Download Submit

  • C:\ProgramData\13Wa0MoQ.2R4\VCRUNTIME140.dll
    Filesize

    88KB

    MD5

    17f01742d17d9ffa7d8b3500978fc842

    SHA1

    2da2ff031da84ac8c2d063a964450642e849144d

    SHA256

    70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e

    SHA512

    c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

    Download Submit

  • C:\ProgramData\13Wa0MoQ.2R4\python311.dll
    Filesize

    20.3MB

    MD5

    3445c1a6dd3e907eb4f72dbb30851536

    SHA1

    4c67d0e2266aaff273db1a4a95b28bd1f2af07bd

    SHA256

    7030a9706e67aa841567c7b3e5e46641dfe5971335c04b45f2e3cc8696cb5793

    SHA512

    73cbae6b02950432dc6923afb8ac092c00dbbdc9e3f12616025fa8a5c6526861eee18a11284fbfdee70a02017e5c294844b0c85542c0572de6fa8c0f27999036

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI77f42.LOG
    Filesize

    21KB

    MD5

    474af31283e9b604e0c577d066e3151d

    SHA1

    c12b0ac2530b6d92005b70d46af8489a964a7607

    SHA256

    0c794c588de5ea2872dca66c8ddc79a0d048f8f231f7371e6dddff43a548cc86

    SHA512

    21ce07772b709f3fbb23332c6db36686cc562e9e424c625b51c9f0e08201052edec14e6438d35b1c5bcc55eb22e2f5ffd453bf35bc0d00c8de7c68c2236c8462

    Download Submit

  • C:\Users\Admin\Pictures\msedge_elf.dll
    Filesize

    768KB

    MD5

    c44c4f20c348689f177b8a39dc6399fb

    SHA1

    d7fc571142da3113c4cf0d75692a72034622b17d

    SHA256

    a4e00aea4c1a10d6d3b969314b0f691bb8e66934a5fc63edaad0121ffc62d67f

    SHA512

    914b6b94919c780ef7b97cd95a5aff7419918b5893464f5ffd168c3e3109fa9f6bb573b67d2bc690fd6a427dfafff7bc6b2c6681afbfd9b73c408e5171ba1eec

    Download Submit

  • C:\Windows\Installer\MSIED1F.tmp
    Filesize

    91KB

    MD5

    5c5bef05b6f3806106f8f3ce13401cc1

    SHA1

    6005fbe17f6e917ac45317552409d7a60976db14

    SHA256

    f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

    SHA512

    97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    7.1MB

    MD5

    a9256ae34d2b801bdcc7c6608f0ee608

    SHA1

    6c2de9413a4338505c8f3cd3739aa6dc45fd4ae5

    SHA256

    41001d38800fd1927027c2b535e4a1cf4f2c309bba5d2d0a6a29c4f120c0e007

    SHA512

    8bb19d29e160f88a2cf2888536815105c6a9a4e326419207e26b3de29f36e26641db6c404c16d770eab881b5d5980c180c5c4f7cdbbb7b2e6a5967bfa9285a64

    Download Submit

  • \??\Volume{d608f836-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c2e33e28-cdad-427f-be7e-e2bf833591e2}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    d0775ee078f45947bb0d2cf81b3252c9

    SHA1

    7e0540c062134e5f2b26e3176f4276bceee2731c

    SHA256

    b808717407b9edb23ae002f078216b664f0b16e2836fde1518e41c4f34665096

    SHA512

    d02ec5995f5f49d183d91ca77877780f9b12a21ed7113cd0c34a485c240ced970dfc265709e8b03a70b5b8e65125f85daf1cafc13ec2741fcc4a7af62fbb85c0

    Download Submit

  • \ProgramData\13Wa0MoQ.2R4\python311.dll
    Filesize

    7.7MB

    MD5

    e317d3c2094cc17ac6756aeaaaf37628

    SHA1

    f6b113b5e8f080052db6cc125e5ef17e7c1b572e

    SHA256

    5306f9beed02ce55cebf0568aa0a9917353f3268e246930a50e976231c2ffa5b

    SHA512

    92e48f8ad723d31e832dac382e453a9268c5a2a28d5ad815e23a212c32730eb3254b510ccac1eb8131a611a582dc7c8cceac631611363929d5638d51d3b3d009

    Download Submit

  • \ProgramData\13Wa0MoQ.2R4\python311.dll
    Filesize

    8.1MB

    MD5

    fa648d6987603e9b1c20af07ac284da2

    SHA1

    0c017caa0168c19336b7c793460d6ff707cf9ebc

    SHA256

    dfba2d8df6dc3cc91fca06c9d066fd45d869f980746b9bb727189ffa5dc7ef5b

    SHA512

    1b1cb9ac725e7e83cf8bf41a12b62a6b3676a3d6ff5a98d9d4a96e3c152495b6e0bc65e38bd6d6c880b53f43a9f9d859dc5e56b7bfdd76e6eeb04a0e1a7c7f3f

    Download Submit

  • \Users\Admin\Pictures\msedge_elf.dll
    Filesize

    448KB

    MD5

    8ee068465887d38254b5d1f5142f83d5

    SHA1

    56e3ecfde8bdb30d98d38abbb53621b89d4f0314

    SHA256

    0af1ed800740a057c4fbe53690195e8a6e6f1f054ec10a635614056b50a2cdf4

    SHA512

    ecf3fd23a96521843e730ddb7de7268b7fc9d621ef96a71acd50a2ee7c7e3043ab3554c1bad0487817167e65ea54b950b57070a3526a8bf4f3390d48605e2834

    Download Submit

  • memory/3476-45-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-47-0x00000000049C0000-0x00000000049C5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3476-51-0x0000000004A70000-0x0000000004AEF000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3476-52-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-53-0x00000000049C0000-0x00000000049C5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3476-59-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-46-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-33-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-44-0x0000000000E20000-0x0000000000E24000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3476-41-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-43-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-40-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3476-34-0x0000000004A70000-0x0000000004AEF000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3476-50-0x0000000073160000-0x000000007343E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/4972-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-101-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-102-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-103-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-105-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-104-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-107-0x0000000001070000-0x000000000361E000-memory.dmp

    Filesize

    37.7MB

    Download

  • memory/4972-106-0x0000000001070000-0x000000000361E000-memory.dmp

    Filesize

    37.7MB

    Download

  • memory/4972-100-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-133-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4972-134-0x0000000001070000-0x000000000361E000-memory.dmp

    Filesize

    37.7MB

    Download

  • memory/4972-135-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

    Filesize

    4KB

    Download