Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 20:05
Static task
static1
Behavioral task
behavioral1
Sample
Web Data Miner 5.2.3.33 Multilingual/fix/Web Data Miner.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Web Data Miner 5.2.3.33 Multilingual/web-data-miner.exe
Resource
win10v2004-20240226-en
General
-
Target
Web Data Miner 5.2.3.33 Multilingual/web-data-miner.exe
-
Size
8.8MB
-
MD5
326b7fac3b8b8829eb909738dc5ba848
-
SHA1
c239bc68aceb1a7404a99571d641d3b6d17fcbb5
-
SHA256
700d3a600e9ce48d885f02e72844aada2b66f4286b4a41da9ed3c65fb64c02d9
-
SHA512
b1ab6a20e19a8f7231386bbb533565e9e21802b184c087ca17a1ff402568757a115eeeb8c6906f89f4423ebf45d10543782d662d499aee76a2fd8519e4a3e9f3
-
SSDEEP
196608:BG0DNw3Ovajel1vEEBhmWYqFdQejq7Oc/6uF6Kbf:HDaiD84TFuUqKc/6uFx
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 16 4692 MSIEXEC.EXE 19 4692 MSIEXEC.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4692 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4692 MSIEXEC.EXE Token: SeSecurityPrivilege 3312 msiexec.exe Token: SeCreateTokenPrivilege 4692 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4692 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4692 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4692 MSIEXEC.EXE Token: SeMachineAccountPrivilege 4692 MSIEXEC.EXE Token: SeTcbPrivilege 4692 MSIEXEC.EXE Token: SeSecurityPrivilege 4692 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 4692 MSIEXEC.EXE Token: SeLoadDriverPrivilege 4692 MSIEXEC.EXE Token: SeSystemProfilePrivilege 4692 MSIEXEC.EXE Token: SeSystemtimePrivilege 4692 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 4692 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 4692 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 4692 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 4692 MSIEXEC.EXE Token: SeBackupPrivilege 4692 MSIEXEC.EXE Token: SeRestorePrivilege 4692 MSIEXEC.EXE Token: SeShutdownPrivilege 4692 MSIEXEC.EXE Token: SeDebugPrivilege 4692 MSIEXEC.EXE Token: SeAuditPrivilege 4692 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 4692 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 4692 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 4692 MSIEXEC.EXE Token: SeUndockPrivilege 4692 MSIEXEC.EXE Token: SeSyncAgentPrivilege 4692 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 4692 MSIEXEC.EXE Token: SeManageVolumePrivilege 4692 MSIEXEC.EXE Token: SeImpersonatePrivilege 4692 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 4692 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4692 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2240 wrote to memory of 4692 2240 web-data-miner.exe 90 PID 2240 wrote to memory of 4692 2240 web-data-miner.exe 90 PID 2240 wrote to memory of 4692 2240 web-data-miner.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Web Data Miner 5.2.3.33 Multilingual\web-data-miner.exe"C:\Users\Admin\AppData\Local\Temp\Web Data Miner 5.2.3.33 Multilingual\web-data-miner.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{558B4636-10DE-4371-A1EE-C2FFC0AE44D0}\Web Data Miner.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Web Data Miner 5.2.3.33 Multilingual" SETUPEXENAME="web-data-miner.exe"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4692
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1320 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:3212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{558B4636-10DE-4371-A1EE-C2FFC0AE44D0}\Web Data Miner.msi
Filesize5.9MB
MD56a825caf323b3984266f4c5a91d31680
SHA1381c221aad5e7f243057f3904809f37b7663330d
SHA256c322cc6c82ca24edbdba2d7e38dfa19adc1da7abf7190dc77950f537134618dd
SHA512c3543908bc93e06ae588c1e4b2e627fe1b0d03ac046b49bd00f501b414d1c432c35fcf3a20af9b3daa10f488b6488d9aed9f203b5d13a7cf02e8f845bd992732
-
Filesize
21KB
MD58586214463bd73e1c2716113e5bd3e13
SHA1f02e3a76fd177964a846d4aa0a23f738178db2be
SHA256089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
SHA512309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b
-
Filesize
5KB
MD593aa3dec6071d944315a322a5b9d10e5
SHA1961f525746049742f2b20401c66855633ee4dc2a
SHA2564bfe580511ef26dd34dcac9adac270f93a986cfeeb54be5c37fd2e6573f80e48
SHA512d3275bafa180cc0541001cd0307caa71d43f1907e458aaff0c732ffbd510912fcc70d39e761c3f8f52796b72ec5d8e45232e6828ec05861bcf59f14c1071fff3