Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 18:35

General

  • Target

    $PLUGINSDIR/vcredist_x86.exe

  • Size

    2.6MB

  • MD5

    5c82be7ad1775b67916ee19c15b99331

  • SHA1

    7dfa98be78249921dd0eedb9a3dd809e7d215c8d

  • SHA256

    eb00f891919d4f894ab725b158459db8834470c382dc60cd3c3ee2c6de6da92c

  • SHA512

    2c505476c81ad32a4904d57d9214bbaa805891c261e010b08055896dca32cfd426f4d13d14a96022fda9a5d8ecd638d65bc37baefed216a2517f07e9acb6939d

  • SSDEEP

    49152:7XOOTQyCR1e8HkA7pFomV4d4QN3uoxFit39/SZrPfLHkAZ0oI006q/HVFlQE+QD9:77EzzzJp0+ojyFALE4hIP/HRXP7x

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 57 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vcredist_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vcredist_x86.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec /i vcredist.msi
        3⤵
        • Enumerates connected drives
        • Event Triggered Execution: Installer Packages
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4692
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4604
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 74811624FBF33F41549E258664647577
        2⤵
        • Loads dropped DLL
        PID:4212
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

      Filesize

      2.6MB

      MD5

      1f8e9fec647700b21d45e6cda97c39b7

      SHA1

      037288ee51553f84498ae4873c357d367d1a3667

      SHA256

      9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161

      SHA512

      42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab

      Filesize

      247KB

      MD5

      aa85aa3738acfe30e197d9dfd5c3428d

      SHA1

      7f3ee53bd967265afe32b31d75b4f6c47363654a

      SHA256

      af3560ef0c55c7e4eff2170c63e7860498b5830e405a3841f96c91601e62e108

      SHA512

      e1bf248d6425f6ba91bf0a1f3d364321b09477af9be2f31f8bf6d92defbaddfbab8f3e6284262742378f1f87d60d06eee3b98fb081e60f9fb6f19c1797489861

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

      Filesize

      2.7MB

      MD5

      dc1ab7ce3b89fc7cac369d8b246cdafe

      SHA1

      c9a2d5a312f770189c4b65cb500905e4773c14ad

      SHA256

      dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560

      SHA512

      e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

    • C:\Windows\Installer\MSI179A.tmp

      Filesize

      28KB

      MD5

      85221b3bcba8dbe4b4a46581aa49f760

      SHA1

      746645c92594bfc739f77812d67cfd85f4b92474

      SHA256

      f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

      SHA512

      060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.7MB

      MD5

      86e44510f271f2ac791c233463a26e47

      SHA1

      9aad8da140e1749291241bfcf5af8e841e45c808

      SHA256

      23be563566153dbfc577941827853737a2e4d3c9c518a3351d1d0c4921027a6a

      SHA512

      297cbc91054c4c9f6f9b786c807ee82c8c22d684037b852fa93a0459bdd478dff6c4c5807601104d3a59922e5f044747af8fbcd81ca8aa77fd34d6cb9f61c3ad

    • \??\Volume{07cd9aa7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0e3ab376-dec1-41b5-bdec-2af83b8ba5aa}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      48c24f06087f0b86e5480cfa4401eecf

      SHA1

      704ab9f6fac7c74e9be3b6b2ab652e09449b73ba

      SHA256

      67e9b1a7dd110603471d56b85e4038f97bd9f8aa20ab84d727199fa07b7fead7

      SHA512

      c310153373d30be5238136db28eba543c6ad40e3aeda2406cd023a855779c36068d9688759b493299ccc7ebf403c90d45ee402b4edb894fec049094fdf47c049