Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

TruCheck_v...er.exe

windows10-2004-x64

8

TruCheck_v...er.exe

windows11-21h2-x64

8

Resubmissions

08/04/2024, 14:58

240408-scmmhaca56 8

03/04/2024, 19:45

240403-ygeeksag7v 8

Analysis

  • max time kernel
    478s
  • max time network
    447s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240319-en
  • resource tags

    arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/04/2024, 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TruCheck_v3.03.70_b3647_Updater.exe

  • Size

    195.7MB

  • MD5

    719e9af110e7527608b8006f6290a29c

  • SHA1

    74a0684bffc141503c55572c12eecba2a3d9e5a1

  • SHA256

    29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12

  • SHA512

    140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae

  • SSDEEP

    3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 40 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe
      "C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true
          4⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2824
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5408
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 81A23FE86368B4BC96A68840778FF870 C
      2⤵
      • Loads dropped DLL
      PID:3880
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1088
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1BF0DB58494CD46CF47E1D7E55BCB443
        2⤵
        • Loads dropped DLL
        PID:5100
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 76F8E62875B8BCA0EDA726A6E75C4010 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:3164
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\InstallDriver.dll
      Filesize

      50KB

      MD5

      fd6054ccda68e02610b899cdc16d186b

      SHA1

      f23d3f737991466d758caabe1dac0fa0977384f3

      SHA256

      3e271de68ca66ec912976e347816ceecab7540e05a98b1d8d0690c662d65d2da

      SHA512

      efe63d70fd7d454b57cdd4c2fe85ccd20cd6ab68cc6f990f2436f4f7a9083a2443e7868af513c55e9f1f865395a5262787e2b588ece13ff0cd10ae1146f050ad

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
      Filesize

      1KB

      MD5

      e1a4b2b787a91b3f548716ed5b1b8171

      SHA1

      767452821035bc9da20d0917474bff2b336f0b3a

      SHA256

      f98370d45aa93a5f04e53bd92219b358491d6fef09c1aebba5fc0a120ab861d9

      SHA512

      848296397cb7676717d94114bd8a344516edc750404b34aa1dee1d571ce2e2c9b345786c387e3f4ef57012528d3b8161291c6a6c248554ea26b714b8f673a6a3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
      Filesize

      1KB

      MD5

      eb8ecac08f744f5ac9637c0f0129f045

      SHA1

      612c3e5375f0a6cc63cfeca549a361534b373889

      SHA256

      3f95e4a685db2a4cc50df8dae853a0f38e574dc58983067d1e30842ff3955cd7

      SHA512

      71a18d91c014986ff3e85fd23e268d227e84aa30216faa5bf542ea6cecbd9cd0329119a1aceb11f08cb940ccba55e23db48591fbae26a446ff6a6f4f84ad66da

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
      Filesize

      532B

      MD5

      c6fa5d78ec617c54efa446796efa00fb

      SHA1

      20974e86ed87a0a570e91313c22ecbd2e29b43e1

      SHA256

      a733451127660767f43a7bdc5b053c0b885dc65048605ea309a2f3d30a0d54b4

      SHA512

      e561b76a40ecf2439943e131b46c024c726fb16affb6edc3cde492d16927ffb0f1eb027775dec98b49dd3c81205251c1a6b158aceb94148c0d077fc15d47d6b2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
      Filesize

      544B

      MD5

      932fda6d7e48785052a3f26e1434aa0b

      SHA1

      39aba2c7b2b35e139f4d7db51e2fcf7ae94e3070

      SHA256

      c1d466e23f3c01fc286ab9588ff707f29f82baea46860c67e631bcfa50c9df9c

      SHA512

      62a5c93e2ffe9aec7d2fbf06278b20231157c0c5db52a5b6a07b669dd02e10037924815c8fce3be8fe942b158b52cab160f365cad15eb07dab5632f835e603b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CFG1EE8.tmp
      Filesize

      123B

      MD5

      17af548f88a3199aa8a63a72201f470f

      SHA1

      4e64bb20a2f54d778ed684aa21abebad63a5c2c0

      SHA256

      a558dbe555749cd3bdd62060fdbba72720c4f4a186d5870b977ed2acf9721d9e

      SHA512

      08bdbc75f5fd4d9ec85c53253e4030ce7245b20ecc95e032835609c7c43a07d6c9e7776f48c5494a788a543240c0649a9f1a34a0e514ebc4dda5730953647338

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI2FA6.tmp
      Filesize

      221KB

      MD5

      911aa8d08b7ccab654e897b0e4439354

      SHA1

      4f4f16048deae47a2ff5b9849042f62ec51794bc

      SHA256

      ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b

      SHA512

      8aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe
      Filesize

      384KB

      MD5

      776851d4a843a0717892e075d03f46ce

      SHA1

      71158f473006c4bbe7c0a5e969c0b346e0c57ac8

      SHA256

      3242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b

      SHA512

      57130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi
      Filesize

      191.6MB

      MD5

      b42d32a276b782d58420ec171789ed34

      SHA1

      789505e6363e2fc9942e5b73df99884760273abf

      SHA256

      704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839

      SHA512

      63741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe
      Filesize

      59KB

      MD5

      d42b83e5e46d7cc78baf0fc96c9eb676

      SHA1

      f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8

      SHA256

      1d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6

      SHA512

      bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508

      Download Submit

    • C:\Windows\Installer\MSI3C66.tmp
      Filesize

      63KB

      MD5

      384a729b4093250d9786013e15e9aa31

      SHA1

      c7ebd3366e0b05b2eb0cd17a6a8354427436774c

      SHA256

      e83ddd458b0433c98f4d13853cc88cf72fada6ffce6d56fcaca8e83bd76abfad

      SHA512

      d6f70005e29e6e8b5c926d7fa4280ae1081c8c0626f74417a73fb81dd5522abab300dd7105f8842a2f41b8f036edacb4853bc6ca7be8f67e5da80ca9de9bc66e

      Download Submit

    • C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_9F6C3D26641EA137EC70B4.exe
      Filesize

      9KB

      MD5

      ce8ee64c66e92bbb46231b1be06aba22

      SHA1

      5bb368fbcf57d92d8c83a4487fdde7e713ed3a24

      SHA256

      d4f066db44f8ec61d8ec183091bead9578022c2385d4f7552b32f1b0c53fd26b

      SHA512

      aa31399cde6457dfa727f3f21074efb8f1f5b7ff5bfee6e54231082e7e8f5d4b6d4df90d70529aaff3935bb3ab86dc86ac1a0d85429d247fdcff9720f4e2c0ec

      Download Submit

    • C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe
      Filesize

      14KB

      MD5

      07282ca770d5cc6fba8e0c1598c485f2

      SHA1

      b7bb6f83b446f73499059d2e14cafba3fc09eb81

      SHA256

      c7669bc86c8102ab2cec262de32ac4aca06e4904959c088d85440ae77b85ec36

      SHA512

      845fd16f032fd40456d74f30045e688044b5d2b4014a06ec700fd0211ed4a2b9fbe53dc89ad8bd7f2407c0ce6cb12885f06185c56065672071d682b39716903b

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      12.8MB

      MD5

      e8f53bdc0952bbe259f78f4faa365509

      SHA1

      f6c00579513751807bb7fce5bdf345bd061edace

      SHA256

      c980da25f17f2dd771381dfbc85d2b83cd14e9ed981cc52fa8478590b30ad05a

      SHA512

      0f494df6625d7a65774adf1afc3d118df20583f6ae15c1d0e6fb5971aae1935b6c6df8d13d1da759847996b69cb0e51051eed3265cd0c768d2a42818c3d3b0da

      Download Submit

    • \??\Volume{7a15c5d7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{74b04522-11ae-4373-a393-025fbe2ebba5}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      a0381ce23db4ef6d54e11ad46e2c573a

      SHA1

      1a77808f134362c6a1b0023cffbe755c83f6e57c

      SHA256

      7303826fe3f37342e3678d44a4fb519ff2562d31a4258caab65bc801e0ef8c10

      SHA512

      a519fac48fd0cf3ff672e03c894e203494131520c5547ad1b61061b0bca9f9c60cdcbb33e41a5977a3e74e95b560e26f43f83db3cbca65e0943925ac781327e5

      Download Submit

    • memory/2144-35-0x00000000010D0000-0x00000000010E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2144-19-0x00000000010D0000-0x00000000010E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2144-36-0x000000001F2E0000-0x000000001F342000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2144-34-0x00000000010D0000-0x00000000010E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2144-33-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2144-32-0x000000001C220000-0x000000001C2BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2144-31-0x000000001C830000-0x000000001CCFE000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2144-22-0x00007FFD0BED0000-0x00007FFD0C871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2144-18-0x00007FFD0BED0000-0x00007FFD0C871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2144-42-0x00007FFD0BED0000-0x00007FFD0C871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3164-270-0x0000000073060000-0x0000000073611000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3164-271-0x0000000002B30000-0x0000000002B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3164-276-0x0000000002B30000-0x0000000002B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3164-282-0x0000000073060000-0x0000000073611000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3164-283-0x0000000002B30000-0x0000000002B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3164-269-0x0000000073060000-0x0000000073611000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3164-480-0x0000000073060000-0x0000000073611000-memory.dmp

      Filesize

      5.7MB

      Download