Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 07:08

General

  • Target

    sample.msi

  • Size

    46.6MB

  • MD5

    6786f27c9558db89f94917e7846bdfa9

  • SHA1

    f9dd7ed3eb6508bb3dda12a8d6a9bf0604c12c80

  • SHA256

    151791fe4ab09c2611ecd4a6543fb62bbb8336853a5769827954ef6354d70f43

  • SHA512

    06f65a18edb5b841cae84c3dd488f3e2e337fd73c194626c2f498628432d19ceda9d33139794a40f06d5bdac82bf2158954fd565e9597e1b6dd3e3bedc3ecf01

  • SSDEEP

    196608:5Jwa6efw7kjueNqGLWlByaWjIu4pNMewsyhOoytlBzFoaK+qlJKDBeY:7r6efNueNqm34pNmER7oaK+qlJKDBe

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 20 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sample.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Registers COM server for autorun
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding D268206E2B710A9FE4E894BB620C4FA9
      2⤵
      • Drops file in Program Files directory
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      PID:2760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e573cdb.rbs

    Filesize

    21KB

    MD5

    fb9faa664f5e9859efdbce0cfc6812d8

    SHA1

    526439c91f559107f3ad6d85aec53cabb9287903

    SHA256

    7972bc292bfe58ee947889e5c3f3e3dd6ed8e83c9b9c72b07c4a731eedfbbd30

    SHA512

    edd50e27eb14dda2a414e37ab5fc328994a14de328dd25e338c0542ed89e3df24b4c70dd1e5435bd64ffd3bde78b19fda7db7e7cae67a2b744270b294601ece8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

    Filesize

    834B

    MD5

    cbed24fd2b55aea95367efca5ee889de

    SHA1

    946f48b5c344fd57113845cd483fed5fb9fa3e54

    SHA256

    1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

    SHA512

    c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

    Filesize

    5B

    MD5

    4842e206e4cfff2954901467ad54169e

    SHA1

    80c9820ff2efe8aa3d361df7011ae6eee35ec4f0

    SHA256

    2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

    SHA512

    ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E

    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_2280A2210A1DD6666EC3A552D924ABF6

    Filesize

    1KB

    MD5

    97b2f1c84cc5b6e8026d05d016eb7597

    SHA1

    5d28b11fee3c3b6006840409d5fccdae0f1a7b7d

    SHA256

    1d5971fb49b11cc3b28741fe6849c1b5285822421b0963c4102041d01b1e21a9

    SHA512

    8e037b304913cd195f85fa71731e1724f8b2fc31bd7f63136566e5261be2c49d64c0e2305b22735863ca25970ec8d12de1b7b35563f16eff76cf641a2bad477d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

    Filesize

    180B

    MD5

    298fc942c8122cbec2cdaf57c9139fac

    SHA1

    c631a515bbac933b4e06154e859c6f85c9561a0b

    SHA256

    deb11d39e169bc16a9f8953bc2a9984b1f2d9198034e6802531422cdbfcf4784

    SHA512

    4d4ccadac84775e9df1a59f85d15534daefa4fb2b96225adce0ac5a9293328f19846b100fffc9d541857a8f3a64b624601b02ede4efad7a8678ba8821721790a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

    Filesize

    398B

    MD5

    b4827d0f7d98374bca8cb73995e8d8fb

    SHA1

    ff3fccfe6dfb69a8b040d26c681b7296e38ed16a

    SHA256

    b8cdf58c848c9194ba7a43e956e8f5308828f06be3bb4e17908c477bc67105cb

    SHA512

    e8bac8fbe65ce3b0b8b52333202304c9872cf09b94282376a413f0c88979dbca79bb6efd5407c5ac8bd7349183aba4743905fd23ed2b7f303c87482b7bb11571

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E

    Filesize

    476B

    MD5

    6451c4de3cc329dffe9ec578d02b8fcb

    SHA1

    62e22d7527e4ca9db630e69ba4944c64dff23ec9

    SHA256

    bc9f9ea8407c9573c6bcefcc65b2c8676e1a1d85596b1c8d684bc7de37bd9302

    SHA512

    05de8fa7ff1eee070c4cf480d4f0e15a2bf79d23c8021202a941e0bfdfd15378cb9feed523b39e7bea6a25093d62f3ed77232695610290eb2bd4b91c8752c8db

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_2280A2210A1DD6666EC3A552D924ABF6

    Filesize

    398B

    MD5

    4986379c8e7c9b0a28f7476d3931ed18

    SHA1

    ba4b32e4b2480074bb0a680457de2be2e65247c1

    SHA256

    2a6c594eaa84a054603bc582ca7920d3687507ead91f6cef70d61d5cd1f6b75e

    SHA512

    cbbd8f4369ac5a4669b455a301bd6414255890d4099d4355c4fea21d682215a5bbe31188d5cc6da91922e79fde664b0c6dcd3e4ae509bc77e9e58cb18ca66489

  • C:\Windows\Installer\MSI3E03.tmp

    Filesize

    169KB

    MD5

    defa0cbafb360ab80b7cdcc0d6029aec

    SHA1

    16a5c55a62b3859ea04942c5f831f7d192c3d545

    SHA256

    ebcce6dff23eb731d2ec49e32886d44d1dc0fd0cfb92f65d43922e8e8bcba26d

    SHA512

    e024dea0d228a63357255d9fce6dfd43317f7e3612a82be4a5a8a6b213f1e6dd8c932f70c35fa4c7692c566c5208df3783d5c7c0e8666ce90fff5c06e1b83b22

  • C:\Windows\Installer\e573cda.msi

    Filesize

    46.6MB

    MD5

    6786f27c9558db89f94917e7846bdfa9

    SHA1

    f9dd7ed3eb6508bb3dda12a8d6a9bf0604c12c80

    SHA256

    151791fe4ab09c2611ecd4a6543fb62bbb8336853a5769827954ef6354d70f43

    SHA512

    06f65a18edb5b841cae84c3dd488f3e2e337fd73c194626c2f498628432d19ceda9d33139794a40f06d5bdac82bf2158954fd565e9597e1b6dd3e3bedc3ecf01