Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

CDFCT.275.msi

windows7-x64

6

CDFCT.275.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    443s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-20240215-es
  • resource tags

    arch:x64arch:x86image:win7-20240215-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    27/05/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CDFCT.275.msi

  • Size

    19.9MB

  • MD5

    dccc2e7e5409227be256b0821469a648

  • SHA1

    b3d056aa648ee904e4bfa17dfd4f936d9dc3f040

  • SHA256

    47e17a67d6c06a2870bd756f961c29c4a11bcf2944cd9f8e8da2f5bf999bd79f

  • SHA512

    4ad81e87cdcf78c6b96a8a9d34a6ec890588719b1d7f9a823aef6564867d3df77142440520494664ffc2d46492344a3df8aa1e9c4d093d00fcfc635189521b02

  • SSDEEP

    196608:wAlrHoMYKQTWT1ZNNNoqUG5CikomWln2uSO:wAlrHOTINNr9Cikofln2ux

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CDFCT.275.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2240
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9652C9DC5E51DB5E99850EF434B2841C
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\f9ih2xd2\histon.exe
        "C:\f9ih2xd2\histon.exe"
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8fff7b76949b2fb9077fe6527db44f02

    SHA1

    bf0671988562084bfe3cba0f0dafb849246671c2

    SHA256

    e9842ea8949a7618a02fe725d7d0ffa8dcb6dce14dd200ea24725685ff89bb29

    SHA512

    661d16b5d2eb0d43291a9866fee317f8ad27dc8f426d909cbb59e7c3612aebc8081a37a406425138c2155ff83b1c6c8d0700cdb8b606204b425f7715a650074c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar20D1.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Windows\Installer\MSI258B.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Windows\Installer\MSI28BB.tmp
    Filesize

    18.7MB

    MD5

    879f73622dabb79984da60c4401472ca

    SHA1

    ffece85483e21f6b1d7d0eed4759fca42086df93

    SHA256

    7bb2ee5c120757307fe7f97b652f8ef36216258036432996d81343ed83920ba0

    SHA512

    2afba348192ff5f84dbd1cd23abb11d62f2219a5832f76eedc98125c6020da06bb83fb74640d8dddd87adb872d0d238415ac55a188420a14bae07e6fbf3280d3

    Download Submit

  • C:\f9ih2xd2\HumbillQT5.dll
    Filesize

    1.5MB

    MD5

    9e5aa15a31eb279cc89aa4aab29e5611

    SHA1

    8534d576fa9e9b1b5d4cfe697b71d0a87a379381

    SHA256

    d76c62368c4460ba683893adea061652900ba9cc923fe30585b8a169f58baa8a

    SHA512

    2c0fdd5170ba82a47884ceefa0c83d9cd9d740eb7fb18a7ec3baec76c8c6f890e2397dff65baf6197e1690e2e8765bb081c6a1d91bcc7f4ea2a34616832a9ea6

    Download Submit

  • C:\f9ih2xd2\histon.exe
    Filesize

    9.1MB

    MD5

    74d3f521a38b23cd25ed61e4f8d99f16

    SHA1

    c4cd0e519aeca41e94665f2c5ea60a322deb3680

    SHA256

    1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845

    SHA512

    ec1c8b0eb895fd8947cad6126abc5bca3a712e42475228b9dcb3496098e720abb83d4cba4621edbd8d3ad7f306a5f57ced9c2c98fe2c2d0c8ebbbf99d7faf0f1

    Download Submit

  • \f9ih2xd2\unrar.dll
    Filesize

    174KB

    MD5

    4289541be75e95bcfff04857f7144d87

    SHA1

    5ec8085e30d75ec18b8b1e193b3d5aa1648b0d2e

    SHA256

    2631fcdf920610557736549e27939b9c760743a2cddec0b2c2254cfa40003fb0

    SHA512

    3137a7790de74a6413aca6c80fd57288bcc30a7df3a416f3c6e8666041cd47a9609136c91405eee23224c4ae67c9aebbba4dd9c4e5786b09b83318755b4a55fd

    Download Submit

  • memory/1304-172-0x0000000072DB0000-0x000000007412A000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/1304-179-0x0000000072DB0000-0x000000007412A000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/2264-227-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-249-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-226-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-236-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-238-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-237-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-235-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-228-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-212-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-225-0x0000000009F70000-0x000000000A0F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2264-239-0x0000000000400000-0x0000000000D36000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2264-240-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-243-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-245-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-247-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-219-0x00000000091D0000-0x00000000091D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2264-251-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-254-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-256-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-258-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-260-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-262-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-264-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-266-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-268-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-272-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-274-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-276-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download

  • memory/2264-278-0x0000000005F80000-0x0000000007805000-memory.dmp

    Filesize

    24.5MB

    Download