Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

MeTSetup (1).exe

windows7-x64

7

MeTSetup (1).exe

windows10-2004-x64

7

Analysis

  • max time kernel
    172s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 07:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MeTSetup (1).exe

  • Size

    77.7MB

  • MD5

    f0c83297881486535346fc2b7e12f1fd

  • SHA1

    18c22e11378cca745750a9302e17495b48d6ce90

  • SHA256

    c2c04f7a5b75da5fe87f100d9f8b92b340b66148dbef0c6314a54f2a8b8cb4cd

  • SHA512

    f4cf463b428c4115eb5042db37e3896a039b916259951f64778f6aa6101941f187abe348b6f3e4f30746ceba6c003e76d8aa2266f2183f07f52606a2633277ee

  • SSDEEP

    1572864:OGubpsnuEY7TBXuTCQlGuoeHxdEOH+PrJ+4YvQsD2s6FJ:OWnuEWVX+RlnDSOQhJ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\MeTSetup (1).exe
    "C:\Users\Admin\AppData\Local\Temp\MeTSetup (1).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\MET_SETUP_a02444\setup.exe
      setup.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\MET_a02760\setup.msi"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2424
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Program Files\Microsec\MeT\MscKSPRegist.exe
      "C:\Program Files\Microsec\MeT\MscKSPRegist.exe" -register
      2⤵
      • Executes dropped EXE
      PID:2764
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCA1F57417525E29DF3C5C2246DBA349 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      PID:1920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1568
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "0000000000000338"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1020

Network

  • flag-us
    DNS
    rootca2017-ca1.e-szigno.hu
    msiexec.exe
    Remote address:
    8.8.8.8:53
    Request
    rootca2017-ca1.e-szigno.hu
    IN A
    Response
    rootca2017-ca1.e-szigno.hu
    IN A
    193.42.222.125
  • flag-hu
    GET
    http://rootca2017-ca1.e-szigno.hu/rootca2017.crt
    msiexec.exe
    Remote address:
    193.42.222.125:80
    Request
    GET /rootca2017.crt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: rootca2017-ca1.e-szigno.hu
    Response
    HTTP/1.1 200 OK
    Date: Thu, 11 Apr 2024 07:14:28 GMT
    Server: Apache
    Last-Modified: Tue, 19 Sep 2017 19:06:40 GMT
    ETag: "244-5598f8f203000"
    Accept-Ranges: bytes
    Content-Length: 580
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/x-x509-ca-cert
  • 193.42.222.125:80
    http://rootca2017-ca1.e-szigno.hu/rootca2017.crt
    http
    msiexec.exe
    416 B
     1.1kB
     6
    5

    HTTP Request

    GET http://rootca2017-ca1.e-szigno.hu/rootca2017.crt

    HTTP Response

    200
  • 8.8.8.8:53
    rootca2017-ca1.e-szigno.hu
    dns
    msiexec.exe
    72 B
     88 B
     1
    1

    DNS Request

    rootca2017-ca1.e-szigno.hu

    DNS Response

    193.42.222.125

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f78954f.rbs
    Filesize

    20KB

    MD5

    fa715454245aa56f8a183aeb957d0889

    SHA1

    979f7e09d1f9fa9b546593376e29a8499eb40fe2

    SHA256

    7b53e030e289c8c00e978841ffea9ab128856d8a31575d9cd0b4fe6c6d4f60d5

    SHA512

    3aff756383412b9c9b964575c0e3bd55db149d47cad7bcf63af733ee75e358ef8468e535ed2cf82dadc111c847f5e69a946323afbc33761d541b157b699e2b2c

    Download Submit

  • C:\Program Files (x86)\Microsec\MeT\MscCertificateManager.exe
    Filesize

    7.5MB

    MD5

    089cd1cef36a26e1a24c3b6cb427821f

    SHA1

    1565c489fb6e4663fc09cad10abe32c8227b796d

    SHA256

    d99c70b0bf9ebbcbd2494415f43ab26c699a1acc5c7995c82d9debf770b8b5f8

    SHA512

    06c01593c39014b7d7df90d791be88ced8bc2d0166313adf26b98ba3939c2a218124726d3e2ae58e102720600d395fa87eabf71b406f2d00b7e8708f24c53ae9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CE8B5763061589BB1835A4B6566F644D
    Filesize

    580B

    MD5

    de1ff69e84aea7b421ce1e587dd18498

    SHA1

    89d483034f9e9a48805f7237d4a9a6efcb7c1fd1

    SHA256

    beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99

    SHA512

    b47857b84854b2e6c73bc883554fd42077d060d115696f005131e94e60badbe6e750ca88995f53edd9abdbdb8d19c2d7b341358f61fa068c840864fd066c27cd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5563f4d1b25414f192a044f4ff0e1802

    SHA1

    10807e007c5479b04daf5e46466722d68bdaf52f

    SHA256

    2358250cbf8ff227995e417c9aff5825920d1a1f527471cf287b16e44fc8df5a

    SHA512

    39cdc0b68eebfd24dc90c7bf7e85c99feb49b13c8f61a60f8f98ad3c16c1a703c797ce3f018058f1e382d5d4ede50b34c23fc62d25ee67187d18b96befce65f4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE8B5763061589BB1835A4B6566F644D
    Filesize

    254B

    MD5

    af766c59ec90c404f72d0ab6a1c8cec4

    SHA1

    e8097b1887936521f5b0d32aaeed55f9f16de249

    SHA256

    07743371822a25ac2b2fed56df1ebad9c3edfdd6909ffcf4adef323497768b81

    SHA512

    959288f102f0b0d8a6a49fb4a61b61eec30c13b86faf39d87f3f4f7fed01b8b1ddae7bd1abaecf4208cdafe1d8de811529d1b4279e050467c1a9228126d11710

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab73DB.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MET_a02760\setup.msi
    Filesize

    43.9MB

    MD5

    80f780f89273fed90c84d7ba9901437d

    SHA1

    70106b845e69a69e9e98229a4a7942c1b77ec20d

    SHA256

    96e65c40e476ad1a6c32b4af0c1378fabb8f86577d7a6fbe984981fd460b0739

    SHA512

    f4b079a8cb53c0437aca51d77c5d8d8c915c142acff67043f25b563bfeafd735848a3d8c9e5c4231319a8e5b5dcc513512df7e44461967728a7e1f06cec277cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7600.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar77F9.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Windows\Installer\MSIBE6F.tmp
    Filesize

    1.9MB

    MD5

    641c3181c7d469d68d934c56dd6bba09

    SHA1

    305d139560cbefd6de48184ac0086502b036ce94

    SHA256

    1d2660f3d6fd3b6b245b383fab30466af1e521bee31884092b8442c12d84b48a

    SHA512

    4a91e4d05de7bd66258f5c07fe928a1edbe46dbffeaaafc522622a61e72c2e5504bb9da98452dd701355a51092ca22fded29907c3cd68bd09c4bdede1488d1c2

    Download Submit

  • \Program Files\Microsec\MeT\MscKSPRegist.exe
    Filesize

    134KB

    MD5

    fa8aba7e52cf9c1422b71b2543dc814e

    SHA1

    3ba2e62a2b3e56da05dfe9b06e1b59620c430a8f

    SHA256

    05b44932ed728b108d3f23906b69de2deedb5b72b5a2e7bbb926d31ecebb48e2

    SHA512

    f9528f30188ce3cd17f3b05059190d254ff91333bd4ea1bb8f54da9df941d6e197f1e49666fa73f3335982754d0ee7511c16855e0c6b3154816bf12c98559bc9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MET_SETUP_a02444\setup.exe
    Filesize

    77.4MB

    MD5

    67ce46f5508574cbeca12583960b4717

    SHA1

    96130fc87ad6657eb62adac61655613c9d267e6f

    SHA256

    4969f7f0653c2f9353a878be2577664d68110090ea503efffb75ff5e6cac820c

    SHA512

    d89d7cb7b0d1fdf198d8dd0f8cd900c353ef3359314e9a326e195f61eeb770c36d67b19e1eca2c6d92446f6eddc6a918002be589285c3c34ce387ed65696149e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.