Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

08/04/2024, 14:58

240408-scmmhaca56 8

03/04/2024, 19:45

240403-ygeeksag7v 8

Analysis

  • max time kernel
    412s
  • max time network
    1153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/04/2024, 14:58

General

  • Target

    TruCheck_v3.03.70_b3647_Updater.exe

  • Size

    195.7MB

  • MD5

    719e9af110e7527608b8006f6290a29c

  • SHA1

    74a0684bffc141503c55572c12eecba2a3d9e5a1

  • SHA256

    29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12

  • SHA512

    140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae

  • SSDEEP

    3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe
      "C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true
          4⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2692
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DE4FB1E0A82FF3E3D8A06FB8992A932A C
      2⤵
      • Loads dropped DLL
      PID:4088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI9D93.tmp

    Filesize

    221KB

    MD5

    911aa8d08b7ccab654e897b0e4439354

    SHA1

    4f4f16048deae47a2ff5b9849042f62ec51794bc

    SHA256

    ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b

    SHA512

    8aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4

  • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe

    Filesize

    384KB

    MD5

    776851d4a843a0717892e075d03f46ce

    SHA1

    71158f473006c4bbe7c0a5e969c0b346e0c57ac8

    SHA256

    3242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b

    SHA512

    57130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa

  • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi

    Filesize

    191.6MB

    MD5

    b42d32a276b782d58420ec171789ed34

    SHA1

    789505e6363e2fc9942e5b73df99884760273abf

    SHA256

    704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839

    SHA512

    63741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684

  • C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe

    Filesize

    59KB

    MD5

    d42b83e5e46d7cc78baf0fc96c9eb676

    SHA1

    f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8

    SHA256

    1d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6

    SHA512

    bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508

  • memory/4596-20-0x00007FFDA8280000-0x00007FFDA8C21000-memory.dmp

    Filesize

    9.6MB

  • memory/4596-32-0x000000001BAE0000-0x000000001BB7C000-memory.dmp

    Filesize

    624KB

  • memory/4596-33-0x0000000001190000-0x0000000001198000-memory.dmp

    Filesize

    32KB

  • memory/4596-34-0x00000000011A0000-0x00000000011B0000-memory.dmp

    Filesize

    64KB

  • memory/4596-35-0x000000001F1B0000-0x000000001F212000-memory.dmp

    Filesize

    392KB

  • memory/4596-31-0x000000001C6B0000-0x000000001CB7E000-memory.dmp

    Filesize

    4.8MB

  • memory/4596-19-0x00000000011A0000-0x00000000011B0000-memory.dmp

    Filesize

    64KB

  • memory/4596-41-0x00007FFDA8280000-0x00007FFDA8C21000-memory.dmp

    Filesize

    9.6MB

  • memory/4596-18-0x00007FFDA8280000-0x00007FFDA8C21000-memory.dmp

    Filesize

    9.6MB