Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

Far30b6300...07.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    222s
  • max time network
    305s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/07/2024, 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Far30b6300.x64.20240407.msi

  • Size

    14.5MB

  • MD5

    f2ecdb60e3769949220cdfa4151f5e69

  • SHA1

    2887ae5dacbf02d07460a203ade656e404812e5e

  • SHA256

    bb54ecf43a539dac9b0c4eb0b95b93b54547036e5d25ac6059eaa2cea26c1f71

  • SHA512

    435b4ab37383850feda9cf92bafa45296d282694bb7fe7f1d0168a6195744a6b5e2bf26d19eb8bf4e77c5744d197e13e49fffae5984f773a9fd35b572da2a578

  • SSDEEP

    393216:Nyg/fqsV+/a9TMji/2U8YE0uSg1EFc8gG8:Ag/B+24ji/2U8XVSg+Fc8

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 17 IoCs
  • Loads dropped DLL 3 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Far30b6300.x64.20240407.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1636
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2008
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 7B52DC8A28CF8C12A481754D2961E166
        2⤵
        • Loads dropped DLL
        PID:2348
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding D0613942AD17C140C7E004D0ECBB8419 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:2340
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57ef81.rbs
      Filesize

      239KB

      MD5

      ec330717f75bbb7c7c91ac040416872a

      SHA1

      42e250e9c77e10600c566aa286fe039c7d2b2235

      SHA256

      3a3f62e98e3f016fc15e2acc36d8a6ce3e575e989f2e33878163c5f0170b0d79

      SHA512

      e792911dcf6f56a85c45cb1ca2adefb7a8bf543cee1a792a0f4b71cdc36823f0e5043ff4f0b3bd2417489ea9dafd75ea8f6b522849915a30ade47be13d59471a

      Download Submit

    • C:\Program Files\Far Manager\Far.exe
      Filesize

      4.8MB

      MD5

      cce69c6d78fc91aa58191668fa5424fb

      SHA1

      c29b64c1135fad8e12ddd8d4e13dda6a925f5f04

      SHA256

      484d6f6a71a822c7a5bf3b0e6dfbc2a870a2b82e222f92d1a5e4e6df211c5c80

      SHA512

      970f7971e7382f347ebffb03fa7199c5ecfbbc9080b5f83110d1eb6f23c91f928100e51de555b50f11c878a777594bab8ad49e0c2035de6397601d851845e5fc

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Far Manager 3 (x64)\Far Manager 3 (x64).lnk
      Filesize

      1KB

      MD5

      44d298d395e9811ce455bd5435ec03cb

      SHA1

      67e937cc4497c10c7b79ec83bf481a3ee6494b5e

      SHA256

      2e19f55bfb23e027adb31902d72936f5555dd586ad5312cf10b1c1e240e96719

      SHA512

      e9c47ecd925577f13f5db3a931bef1522bd05fd0ac417173b0c397037914e621089d36d05bb8f21e98d12d61086cbbdae2ef456980b09b43f1e95a19614f364d

      Download Submit

    • C:\Windows\Installer\MSIF07A.tmp
      Filesize

      195KB

      MD5

      980379427f86689d99f38ea699026b17

      SHA1

      43f3231848d714ca9331e42396dbd5e9f263046e

      SHA256

      00f1945cbc8cc97ab10968e111de0b708c05837e9f1fb37c12b8bac7397a7b30

      SHA512

      3b3eb5ca4094d237a349224eab58df5529ba699e3fa7044ff91e90f2dceeb00cf498ec17daee65a6d516f97d308acc5441d7a940c77913a3daf8492e65becc77

      Download Submit

    • C:\Windows\Installer\e57ef80.msi
      Filesize

      14.5MB

      MD5

      f2ecdb60e3769949220cdfa4151f5e69

      SHA1

      2887ae5dacbf02d07460a203ade656e404812e5e

      SHA256

      bb54ecf43a539dac9b0c4eb0b95b93b54547036e5d25ac6059eaa2cea26c1f71

      SHA512

      435b4ab37383850feda9cf92bafa45296d282694bb7fe7f1d0168a6195744a6b5e2bf26d19eb8bf4e77c5744d197e13e49fffae5984f773a9fd35b572da2a578

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      12.8MB

      MD5

      7108bd80b5292f47e6f0ab563be2fcf0

      SHA1

      7dd403efce3a4b7c1422909a0f46ad0fd6a0e07d

      SHA256

      abd8446eaf03472a614982cbeaea13416769e5859b706c507bc3393df50e112e

      SHA512

      ab2d0b3fbaf5d0f106ce7f015b300b10dd027b9301951983d95ba25ea16e415272730ab00f84b31428f166756f6564406c3046ee74df0eddfc275025e54de93b

      Download Submit

    • \??\Volume{ab373ba3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ff40a667-655f-4132-9c42-eba9110419fc}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      90c8e3689ea2fb9aecc44d1600fdbc27

      SHA1

      cf3aaabea29444672a4676fbd8b2d5d25688069e

      SHA256

      694f6fe1d6b730e50fdfad8b93c048205eb5ffc05ba5ccc14639e4122338e7b9

      SHA512

      a45f88a90e5b00dbbe7a3c484d1b12fbe0c1013f0a084aadefb37d8469a4a50dc941ddbf6d5e8424aa29d2ab8f4757c41392a30533316b679bcd6111c19fc822

      Download Submit