Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3MTS_Remote...64.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3bin/7za.exe
windows10-2004-x64
1bin/ViGEmClient.dll
windows10-2004-x64
1bin/archive.dll
windows10-2004-x64
1bin/locales/mr.ps1
windows10-2004-x64
3bin/lz4.dll
windows10-2004-x64
1bin/miniupnpc.dll
windows10-2004-x64
1bin/msvcp140.dll
windows10-2004-x64
1bin/msvcp140_1.dll
windows10-2004-x64
1bin/msvcp140_2.dll
windows10-2004-x64
1bin/msvcp1...it.dll
windows10-2004-x64
1bin/msvcp1...ds.dll
windows10-2004-x64
1bin/resour...x.html
windows10-2004-x64
1bin/resour...7bd.js
windows10-2004-x64
3bin/resour...8ec.js
windows10-2004-x64
3bin/sentry.dll
windows10-2004-x64
1bin/sqlite3.dll
windows10-2004-x64
1bin/tesseract53.dll
windows10-2004-x64
1bin/tiff.dll
windows10-2004-x64
1bin/turbojpeg.dll
windows10-2004-x64
1bin/vcruntime140.dll
windows10-2004-x64
1bin/vcrunt..._1.dll
windows10-2004-x64
1bin/vk_swi...er.dll
windows10-2004-x64
1bin/vulkan-1.dll
windows10-2004-x64
1bin/zlib1.dll
windows10-2004-x64
1bin/zstd.dll
windows10-2004-x64
1tmp/ViGEmB...64.msi
windows10-2004-x64
6Analysis
-
max time kernel
1778s -
max time network
1166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
MTS_Remoteplay-install-win64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
bin/7za.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral8
Sample
bin/ViGEmClient.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
bin/archive.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
bin/locales/mr.ps1
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
bin/lz4.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
bin/miniupnpc.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
bin/msvcp140.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
bin/msvcp140_1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bin/msvcp140_2.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
bin/msvcp140_atomic_wait.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
bin/msvcp140_codecvt_ids.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral18
Sample
bin/resources/notification/index.html
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
bin/resources/notification/static/js/main.905537bd.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
bin/resources/static/js/main.dd7c58ec.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
bin/sentry.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
bin/sqlite3.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
bin/tesseract53.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
bin/tiff.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
bin/turbojpeg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
bin/vcruntime140.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
bin/vcruntime140_1.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
bin/vk_swiftshader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
bin/vulkan-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
bin/zlib1.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
bin/zstd.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
tmp/ViGEmBusSetup_x64.msi
Resource
win10v2004-20240611-en
General
-
Target
tmp/ViGEmBusSetup_x64.msi
-
Size
856KB
-
MD5
d8d2cff2eae7f1d956e3f8a2edaf891d
-
SHA1
bc33e35ed5d60c492bd6733462bd6cbc19c2cd59
-
SHA256
5abbba8a4a07aaaeb50b4666183b2f243e0e5ad288026d2a9f3595ed237c4b28
-
SHA512
50d98dd7d81e309cf764da7d40e321270f2e5ebc387d7b35ddb414c2efcfaa1bf302e51d5dfd3fa4cf871a3449705dc5e57466a3e97fdd5c16f5af3cd3051447
-
SSDEEP
12288:ks/zRZDhrFD7Pd2w1t3jOZy2KsGU6a4KsBex5VkDSiF:d9ZDpFD7V2wbzOE2Z34Kd54S
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 6 2352 msiexec.exe 13 2352 msiexec.exe 14 2352 msiexec.exe 19 2352 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 2352 msiexec.exe Token: SeIncreaseQuotaPrivilege 2352 msiexec.exe Token: SeSecurityPrivilege 3476 msiexec.exe Token: SeCreateTokenPrivilege 2352 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2352 msiexec.exe Token: SeLockMemoryPrivilege 2352 msiexec.exe Token: SeIncreaseQuotaPrivilege 2352 msiexec.exe Token: SeMachineAccountPrivilege 2352 msiexec.exe Token: SeTcbPrivilege 2352 msiexec.exe Token: SeSecurityPrivilege 2352 msiexec.exe Token: SeTakeOwnershipPrivilege 2352 msiexec.exe Token: SeLoadDriverPrivilege 2352 msiexec.exe Token: SeSystemProfilePrivilege 2352 msiexec.exe Token: SeSystemtimePrivilege 2352 msiexec.exe Token: SeProfSingleProcessPrivilege 2352 msiexec.exe Token: SeIncBasePriorityPrivilege 2352 msiexec.exe Token: SeCreatePagefilePrivilege 2352 msiexec.exe Token: SeCreatePermanentPrivilege 2352 msiexec.exe Token: SeBackupPrivilege 2352 msiexec.exe Token: SeRestorePrivilege 2352 msiexec.exe Token: SeShutdownPrivilege 2352 msiexec.exe Token: SeDebugPrivilege 2352 msiexec.exe Token: SeAuditPrivilege 2352 msiexec.exe Token: SeSystemEnvironmentPrivilege 2352 msiexec.exe Token: SeChangeNotifyPrivilege 2352 msiexec.exe Token: SeRemoteShutdownPrivilege 2352 msiexec.exe Token: SeUndockPrivilege 2352 msiexec.exe Token: SeSyncAgentPrivilege 2352 msiexec.exe Token: SeEnableDelegationPrivilege 2352 msiexec.exe Token: SeManageVolumePrivilege 2352 msiexec.exe Token: SeImpersonatePrivilege 2352 msiexec.exe Token: SeCreateGlobalPrivilege 2352 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2352 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tmp\ViGEmBusSetup_x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2352
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476