Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
6d3f68d31efc5fc456850af228427c25.msi
Resource
win7-20231129-en
General
-
Target
6d3f68d31efc5fc456850af228427c25.msi
-
Size
1.5MB
-
MD5
6d3f68d31efc5fc456850af228427c25
-
SHA1
487fcaaab61ce4e76d6a1e2568cf3602a5f6632b
-
SHA256
147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974
-
SHA512
e1c26181065ad69078e281154f741d318ceec9d412c030a89397e6d27ff89c224ed7f106b68892f41309264830e48255ff114369985206efe9c5311f8725df3d
-
SSDEEP
24576:kt9cpVDhOXLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqF6:jpRhOXLcJyEq9GRhvVqtV01Mq7kctDAo
Malware Config
Extracted
asyncrat
AWS | 3Losh
mafiaexe
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
twinks234.duckdns.org:6606
twinks234.duckdns.org:7707
twinks234.duckdns.org:8808
mafiaEXE
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023409-66.dat family_asyncrat -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2344 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6477.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e5763ab.msi msiexec.exe File opened for modification C:\Windows\Installer\e5763ab.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{BE13E8ED-EE1E-41EA-93EE-21B2B781511E} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1044 mafiachroom.exe -
Loads dropped DLL 1 IoCs
pid Process 4764 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003013bddf4a62308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003013bddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003013bddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3013bddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003013bddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1752 msiexec.exe 1752 msiexec.exe 1044 mafiachroom.exe 1044 mafiachroom.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 3016 msiexec.exe Token: SeIncreaseQuotaPrivilege 3016 msiexec.exe Token: SeSecurityPrivilege 1752 msiexec.exe Token: SeCreateTokenPrivilege 3016 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3016 msiexec.exe Token: SeLockMemoryPrivilege 3016 msiexec.exe Token: SeIncreaseQuotaPrivilege 3016 msiexec.exe Token: SeMachineAccountPrivilege 3016 msiexec.exe Token: SeTcbPrivilege 3016 msiexec.exe Token: SeSecurityPrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeLoadDriverPrivilege 3016 msiexec.exe Token: SeSystemProfilePrivilege 3016 msiexec.exe Token: SeSystemtimePrivilege 3016 msiexec.exe Token: SeProfSingleProcessPrivilege 3016 msiexec.exe Token: SeIncBasePriorityPrivilege 3016 msiexec.exe Token: SeCreatePagefilePrivilege 3016 msiexec.exe Token: SeCreatePermanentPrivilege 3016 msiexec.exe Token: SeBackupPrivilege 3016 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeShutdownPrivilege 3016 msiexec.exe Token: SeDebugPrivilege 3016 msiexec.exe Token: SeAuditPrivilege 3016 msiexec.exe Token: SeSystemEnvironmentPrivilege 3016 msiexec.exe Token: SeChangeNotifyPrivilege 3016 msiexec.exe Token: SeRemoteShutdownPrivilege 3016 msiexec.exe Token: SeUndockPrivilege 3016 msiexec.exe Token: SeSyncAgentPrivilege 3016 msiexec.exe Token: SeEnableDelegationPrivilege 3016 msiexec.exe Token: SeManageVolumePrivilege 3016 msiexec.exe Token: SeImpersonatePrivilege 3016 msiexec.exe Token: SeCreateGlobalPrivilege 3016 msiexec.exe Token: SeBackupPrivilege 672 vssvc.exe Token: SeRestorePrivilege 672 vssvc.exe Token: SeAuditPrivilege 672 vssvc.exe Token: SeBackupPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeDebugPrivilege 1044 mafiachroom.exe Token: SeBackupPrivilege 4192 srtasks.exe Token: SeRestorePrivilege 4192 srtasks.exe Token: SeSecurityPrivilege 4192 srtasks.exe Token: SeTakeOwnershipPrivilege 4192 srtasks.exe Token: SeBackupPrivilege 4192 srtasks.exe Token: SeRestorePrivilege 4192 srtasks.exe Token: SeSecurityPrivilege 4192 srtasks.exe Token: SeTakeOwnershipPrivilege 4192 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3016 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1044 mafiachroom.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4192 1752 msiexec.exe 105 PID 1752 wrote to memory of 4192 1752 msiexec.exe 105 PID 1752 wrote to memory of 4764 1752 msiexec.exe 107 PID 1752 wrote to memory of 4764 1752 msiexec.exe 107 PID 1752 wrote to memory of 4764 1752 msiexec.exe 107 PID 4764 wrote to memory of 2344 4764 MsiExec.exe 108 PID 4764 wrote to memory of 2344 4764 MsiExec.exe 108 PID 4764 wrote to memory of 2344 4764 MsiExec.exe 108 PID 4764 wrote to memory of 4588 4764 MsiExec.exe 110 PID 4764 wrote to memory of 4588 4764 MsiExec.exe 110 PID 4764 wrote to memory of 4588 4764 MsiExec.exe 110 PID 4764 wrote to memory of 1044 4764 MsiExec.exe 112 PID 4764 wrote to memory of 1044 4764 MsiExec.exe 112 PID 4764 wrote to memory of 1044 4764 MsiExec.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6d3f68d31efc5fc456850af228427c25.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3016
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 66E6A536B3DA32E3664290BB2C0D6F452⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2344
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe"C:\Users\Admin\AppData\Local\Temp\MW-311b3456-40c1-4cae-821f-b063643dea33\files\mafiachroom.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1044
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d4e7f05d7f6a7dc75f468dbcaa9f437f
SHA1f377284434b0200c6ebeba730dfcddaff7f2de13
SHA256943ef4c71d53ef383ee9591d460799c7e503e493c26abdd6ded50eb82f2dd47f
SHA5129f8d960ee4367f388a0717b9a3991682a900f13db547dd51242a6c1686a2d9badbb94446db36700116c0c7753daacc7fb43ec35c09e94bc462e74c36e2b86bf5
-
Filesize
1.2MB
MD56e7ebd37b6095cb1a2f3ffa9d5598c81
SHA1d4d0cfa65f6dd224af16ff81a29abdf6ab0eab69
SHA2561cf774a50175eb7321b1366c585ccfc68bdf0916d8e78edf1fe24e079209eb9e
SHA512f23d689393db2f8292018d8b303992b19dd8b9cfd4f226a84ddd70d30ec2d89083e9b1418d5f82e04a1a81d9014387e0450747b99a02fc32e094c987cc2c782b
-
Filesize
1KB
MD59a41d4f44ca69fe6799dfbb66a49f932
SHA18c11180c25a464ac86e8622d2f5aa0bf3eb7fe21
SHA256ef187294353af2ac211597aaf9225fb7990cd7afa6e1e2ce1accde89935fd3bc
SHA512e108c7b56f677ba0dc639f6f5af1ae7d507ce21b608a8f81eac21f4113297061036f1acc5ab1b6f387c869b349e5ca452f123f0612355747b4cc44c5f4801077
-
Filesize
1KB
MD597719f6eae7e7e6d8e1fe8970f65a935
SHA165611f13bb89873c295e44f21a9e3ef96d5d46df
SHA256ed2e0cca8483413fe62b9865895de3cbbc330897fd493be7d719f0b6c05550c1
SHA512c0c8c210871eac6f37899962efe33d2c06b90b6c4dac83b19567c524682755fcbf45c4b9d69c8cd8fc471fbd42aef15f2ddef4dbe2d0ba2ebc0c939016ffde67
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
23.7MB
MD5d5cc1fbd277d0442b7c322a6163f3a20
SHA18631ab4015c797f9f32495774ced4e9de972de77
SHA25689d04688afba0d435f75722924c520f0b2d96f5b65b6c0cef5f7c18af222832a
SHA51216ca6e654162c8c0c9a86e7e3daa3a05daa10033496edd92e3e2e6a833f0f2266125ed58e649b9fe433c64daed3f7fbd1c0b390fba56e617d7ff3c9b97887c64
-
\??\Volume{dfbd1330-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1b0eb991-4623-4181-a4c4-75c9188477e4}_OnDiskSnapshotProp
Filesize6KB
MD5d20ad38dc8fbdf573f15cdbf0a6009c2
SHA1f34847db86058ec3a5df6f6f6a576c3cd1c9ea15
SHA25610dc4645acda1f1018f15b92e530fe49bcb386029ac0552ea4dec8c8877f6be4
SHA51257da5ef2cc0498f1b58bf4c73ffee931cb66c539b8e2a97ba40cdf82754da28e03ec7a2c32cbe9b770e749308e1e96ef39f3253424615b1a483c00245e559b82