Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
412s -
max time network
1153s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/04/2024, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win11-20240221-en
General
-
Target
TruCheck_v3.03.70_b3647_Updater.exe
-
Size
195.7MB
-
MD5
719e9af110e7527608b8006f6290a29c
-
SHA1
74a0684bffc141503c55572c12eecba2a3d9e5a1
-
SHA256
29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12
-
SHA512
140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae
-
SSDEEP
3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4596 UpdateTool.exe 1628 TruCheckSetup.exe -
Loads dropped DLL 2 IoCs
pid Process 4088 MsiExec.exe 4088 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 10 2692 msiexec.exe 11 2692 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3576 msiexec.exe Token: SeShutdownPrivilege 2692 msiexec.exe Token: SeIncreaseQuotaPrivilege 2692 msiexec.exe Token: SeCreateTokenPrivilege 2692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2692 msiexec.exe Token: SeLockMemoryPrivilege 2692 msiexec.exe Token: SeIncreaseQuotaPrivilege 2692 msiexec.exe Token: SeMachineAccountPrivilege 2692 msiexec.exe Token: SeTcbPrivilege 2692 msiexec.exe Token: SeSecurityPrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeLoadDriverPrivilege 2692 msiexec.exe Token: SeSystemProfilePrivilege 2692 msiexec.exe Token: SeSystemtimePrivilege 2692 msiexec.exe Token: SeProfSingleProcessPrivilege 2692 msiexec.exe Token: SeIncBasePriorityPrivilege 2692 msiexec.exe Token: SeCreatePagefilePrivilege 2692 msiexec.exe Token: SeCreatePermanentPrivilege 2692 msiexec.exe Token: SeBackupPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeShutdownPrivilege 2692 msiexec.exe Token: SeDebugPrivilege 2692 msiexec.exe Token: SeAuditPrivilege 2692 msiexec.exe Token: SeSystemEnvironmentPrivilege 2692 msiexec.exe Token: SeChangeNotifyPrivilege 2692 msiexec.exe Token: SeRemoteShutdownPrivilege 2692 msiexec.exe Token: SeUndockPrivilege 2692 msiexec.exe Token: SeSyncAgentPrivilege 2692 msiexec.exe Token: SeEnableDelegationPrivilege 2692 msiexec.exe Token: SeManageVolumePrivilege 2692 msiexec.exe Token: SeImpersonatePrivilege 2692 msiexec.exe Token: SeCreateGlobalPrivilege 2692 msiexec.exe Token: SeCreateTokenPrivilege 2692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2692 msiexec.exe Token: SeLockMemoryPrivilege 2692 msiexec.exe Token: SeIncreaseQuotaPrivilege 2692 msiexec.exe Token: SeMachineAccountPrivilege 2692 msiexec.exe Token: SeTcbPrivilege 2692 msiexec.exe Token: SeSecurityPrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeLoadDriverPrivilege 2692 msiexec.exe Token: SeSystemProfilePrivilege 2692 msiexec.exe Token: SeSystemtimePrivilege 2692 msiexec.exe Token: SeProfSingleProcessPrivilege 2692 msiexec.exe Token: SeIncBasePriorityPrivilege 2692 msiexec.exe Token: SeCreatePagefilePrivilege 2692 msiexec.exe Token: SeCreatePermanentPrivilege 2692 msiexec.exe Token: SeBackupPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeShutdownPrivilege 2692 msiexec.exe Token: SeDebugPrivilege 2692 msiexec.exe Token: SeAuditPrivilege 2692 msiexec.exe Token: SeSystemEnvironmentPrivilege 2692 msiexec.exe Token: SeChangeNotifyPrivilege 2692 msiexec.exe Token: SeRemoteShutdownPrivilege 2692 msiexec.exe Token: SeUndockPrivilege 2692 msiexec.exe Token: SeSyncAgentPrivilege 2692 msiexec.exe Token: SeEnableDelegationPrivilege 2692 msiexec.exe Token: SeManageVolumePrivilege 2692 msiexec.exe Token: SeImpersonatePrivilege 2692 msiexec.exe Token: SeCreateGlobalPrivilege 2692 msiexec.exe Token: SeCreateTokenPrivilege 2692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2692 msiexec.exe Token: SeLockMemoryPrivilege 2692 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2692 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1628 TruCheckSetup.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4176 wrote to memory of 4596 4176 TruCheck_v3.03.70_b3647_Updater.exe 79 PID 4176 wrote to memory of 4596 4176 TruCheck_v3.03.70_b3647_Updater.exe 79 PID 4596 wrote to memory of 1628 4596 UpdateTool.exe 84 PID 4596 wrote to memory of 1628 4596 UpdateTool.exe 84 PID 4596 wrote to memory of 1628 4596 UpdateTool.exe 84 PID 1628 wrote to memory of 2692 1628 TruCheckSetup.exe 85 PID 1628 wrote to memory of 2692 1628 TruCheckSetup.exe 85 PID 1628 wrote to memory of 2692 1628 TruCheckSetup.exe 85 PID 3576 wrote to memory of 4088 3576 msiexec.exe 86 PID 3576 wrote to memory of 4088 3576 msiexec.exe 86 PID 3576 wrote to memory of 4088 3576 msiexec.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe"C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe"C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true4⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2692
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DE4FB1E0A82FF3E3D8A06FB8992A932A C2⤵
- Loads dropped DLL
PID:4088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5911aa8d08b7ccab654e897b0e4439354
SHA14f4f16048deae47a2ff5b9849042f62ec51794bc
SHA256ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b
SHA5128aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4
-
Filesize
384KB
MD5776851d4a843a0717892e075d03f46ce
SHA171158f473006c4bbe7c0a5e969c0b346e0c57ac8
SHA2563242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b
SHA51257130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa
-
Filesize
191.6MB
MD5b42d32a276b782d58420ec171789ed34
SHA1789505e6363e2fc9942e5b73df99884760273abf
SHA256704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839
SHA51263741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684
-
Filesize
59KB
MD5d42b83e5e46d7cc78baf0fc96c9eb676
SHA1f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8
SHA2561d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6
SHA512bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508