Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

URLScan

urlscan

1

https://www.7-zip.or...

windows7-x64

1

https://www.7-zip.or...

windows10-1703-x64

6

Analysis

  • max time kernel
    54s
  • max time network
    91s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/06/2024, 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.7-zip.org/a/7z2401.msi

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://www.7-zip.org/a/7z2401.msi"
    1⤵
      PID:2996
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3500
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2401.msi"
        2⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2704
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:380
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4640
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4752
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4116
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
          PID:4476
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
          PID:2264
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\FormatDebug.avi"
          1⤵
            PID:2288
          • C:\Program Files\VideoLAN\VLC\vlc.exe
            "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\FormatDebug.avi"
            1⤵
              PID:4524
            • C:\Windows\system32\mspaint.exe
              "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\AddDebug.jpg" /ForceBootstrapPaint3D
              1⤵
                PID:4812
              • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
                "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
                1⤵
                  PID:4920

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Config.Msi\e58dc52.rbs
                  Filesize

                  18KB

                  MD5

                  4867f1f6714c06ff81390992eca5deb2

                  SHA1

                  1076889015a1f321277c3bb3df04d61fbe5c3d7e

                  SHA256

                  8f0b5e820d4c7821408b833bf80f3ce49da7f09fa3916abeb79c3dc9b94af5ce

                  SHA512

                  e653293bf63acf98b4013d5ef292f1d2ab14821a1683de753ccbc22968ff7a22f7226f88fc83e8062979fde7f581a9667647b5b2c03ed8ba2a06111afcd72043

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BU0KRETY\edgecompatviewlist[1].xml
                  Filesize

                  74KB

                  MD5

                  d4fc49dc14f63895d997fa4940f24378

                  SHA1

                  3efb1437a7c5e46034147cbbc8db017c69d02c31

                  SHA256

                  853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

                  SHA512

                  cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                  Filesize

                  236B

                  MD5

                  9ad9edf31222cac55d8bc0b051a267ee

                  SHA1

                  6a536997ee93eac3b2a6d9c44a0a418a75fdac14

                  SHA256

                  00af8822c1b33205134974e8057060fde3566a71ad47a5cc9c965a4c9b5dacb7

                  SHA512

                  b7975eeeb6243f47ea66eeb15fa2bf08e4748534b2ba29d8ec8ca46c0018c5f16a0b562b62c4c6312c1f3a949af4173adf2331e67473b1893e6900f1661d304e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                  Filesize

                  2B

                  MD5

                  d751713988987e9331980363e24189ce

                  SHA1

                  97d170e1550eee4afc0af065b78cda302a97674c

                  SHA256

                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                  SHA512

                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                  Filesize

                  233B

                  MD5

                  821a2aa5323e74246e0bb8a96e67418a

                  SHA1

                  596af488ecef25423d775baea37f743c2d5de575

                  SHA256

                  40299186d44c5b1d06c8e468885b75fbe946cd3c71ebd0565f1936c13a77733c

                  SHA512

                  678813172b378f4ccf75b932c84eb40f08addf3a0dc81dd526ca2367aba9330e790890abeb66b5f6cb2895e3f65f34901815becdc5347168ab4cc10d19eb2360

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WL0YQ9UD\7z2401[1].msi
                  Filesize

                  1.4MB

                  MD5

                  a141303fe3fd74208c1c8a1121a7f67d

                  SHA1

                  b55c286e80a9e128fbf615da63169162c08aef94

                  SHA256

                  1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

                  SHA512

                  2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ATZKFSB1\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WL0YQ9UD\7z2401[1].msi
                  Filesize

                  95KB

                  MD5

                  b1e4577b46b50d32fd03919d39a37993

                  SHA1

                  4be6cdba00938cd1d0017f96ee0d667023df4bac

                  SHA256

                  56ef8475c5fe22c748b3ec1d1d3f08ac6f0f64f9d4773ef5485563adea8c2c03

                  SHA512

                  4ad00f8ebcbe7b7e079728e6de93a5ba2637848f6eb6e012b11f17a5a1f966c82d1b57c270ac375e01dc6e1a6498800c5ad7328045fc6fa0159e1f39dcafd752

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
                  Filesize

                  304B

                  MD5

                  781602441469750c3219c8c38b515ed4

                  SHA1

                  e885acd1cbd0b897ebcedbb145bef1c330f80595

                  SHA256

                  81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

                  SHA512

                  2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
                  Filesize

                  531B

                  MD5

                  24f5201d10c3af00f793885ac9cb0813

                  SHA1

                  c0468da53a219700dc02ddd97a46f947d53065ee

                  SHA256

                  5f6c0b0696df387e2121e8833645c8ead2bb7f25bd6580ec0cd99ba4537cba97

                  SHA512

                  c72a6f54957d886598967dfb10a69b34c7d953bf1d34350b5662b557453a60df2363839fc9e0c5ceb1e112c12deb1e6a5edc6da2d4a2e7bd8e79c021def8dfa4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\vlc\vlcrc
                  Filesize

                  94KB

                  MD5

                  7b37c4f352a44c8246bf685258f75045

                  SHA1

                  817dacb245334f10de0297e69c98b4c9470f083e

                  SHA256

                  ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

                  SHA512

                  1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

                  Download Submit

                • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                  Filesize

                  26.0MB

                  MD5

                  0af91fc695fd79e19cdab8a52c570ebb

                  SHA1

                  91dfccd43517784742e9f14105ffe8f843287eeb

                  SHA256

                  cb52d4ea67c96830d5801c1c643cef575b0caac2abdba6d22cdb9f7eb5821f21

                  SHA512

                  56d9a10cbcafda49f0a8d11f07dd00ab6b314f10a2826b25f850f7dc133b6a7d712cfac96d492e066909efcd860427c346a6e50275faa00576913f5c4fa47624

                  Download Submit

                • \??\Volume{4f38e779-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3ddfeb7b-03fc-4fb4-8e83-5421bf4b7a16}_OnDiskSnapshotProp
                  Filesize

                  5KB

                  MD5

                  bbd64a8b3c55e32b1290048eae7e3181

                  SHA1

                  ebb53cda4b4589bd6ecb2622cebb1a0b4bb0f747

                  SHA256

                  bf0aee9b4477d055ad7435372e50218db5b15ec323fa24af88300491222a1941

                  SHA512

                  b10a07491a8081f5f2cb314c67dacbfb621beae6a46205ca796058b94cdc57d2564e7a78d71bed33ddcc7c447ea8d1a3dcbac126f6b8e3843260c46d25bfed14

                  Download Submit

                • memory/2288-155-0x00007FFC59410000-0x00007FFC59444000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/2288-157-0x00007FFC56FB0000-0x00007FFC58060000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2288-156-0x00007FFC59150000-0x00007FFC59406000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2288-154-0x00007FF70F150000-0x00007FF70F248000-memory.dmp

                  Filesize

                  992KB

                  Download

                • memory/3500-16-0x0000020825320000-0x0000020825330000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3500-0-0x0000020825220000-0x0000020825230000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3500-35-0x00000208243E0000-0x00000208243E2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3500-70-0x000002082C1B0000-0x000002082C1B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3500-68-0x000002082C1A0000-0x000002082C1A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4116-80-0x000001FFCFF00000-0x000001FFD0000000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/4524-305-0x00007FFC59410000-0x00007FFC59444000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/4524-304-0x00007FF70F150000-0x00007FF70F248000-memory.dmp

                  Filesize

                  992KB

                  Download

                • memory/4524-306-0x00007FFC59150000-0x00007FFC59406000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4524-307-0x00007FFC57B90000-0x00007FFC57C9E000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/4640-43-0x0000029006000000-0x0000029006100000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/4640-45-0x0000029006000000-0x0000029006100000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/4752-62-0x0000017BECF10000-0x0000017BECF12000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4752-67-0x0000017BED000000-0x0000017BED002000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4752-65-0x0000017BECF40000-0x0000017BECF42000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4752-58-0x0000017BDCCA0000-0x0000017BDCDA0000-memory.dmp

                  Filesize

                  1024KB

                  Download