Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Retrac_Lau...US.msi

windows7-x64

8

Retrac_Lau...US.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    97s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Retrac_Launcher_1.0.9_x64_en-US.msi

  • Size

    6.6MB

  • MD5

    79a3ef34fb61355df68b7931c56f08f5

  • SHA1

    f945151e501116aa5d2fbe3698cd55ff9b766691

  • SHA256

    e54675fdcd9d66f78f122b7dd4b61f2acd77951dcdd32914af8ace2ff71fd18c

  • SHA512

    72c0e71202b50874a6200953e20adcd4b5b0299921172ab1185565fe57490b0073789e1528ebf1de5a7f2922b49b21a2c360f5aaaa455596f2f4fecfbad52f57

  • SSDEEP

    196608:llBaVrNSXtyiN2gU3HS5oWQWnXl2m/YXGz:4db32jBnV2m/z

Score
8/10
executionpersistenceprivilege_escalation

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 21 IoCs
  • Loads dropped DLL 9 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Retrac_Launcher_1.0.9_x64_en-US.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2900
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADC0D98CF3F8A4BB91D0DC241589A13C C
      2⤵
      • Loads dropped DLL
      PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:708
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 880F8646C4032747C2B65432340EAD7F C
      2⤵
      • Loads dropped DLL
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2800
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000004B0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2776
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2708
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:1520
        • C:\Windows\System32\msiexec.exe
          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Retrac_Launcher_1.0.9_x64_en-US.msi"
          1⤵
          • Enumerates connected drives
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          PID:2636
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005E8" "00000000000004B0"
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          PID:1620

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\Retrac Launcher.lnk
          Filesize

          1KB

          MD5

          943880712fe26cf5e9dbc1472f6ddf29

          SHA1

          de771f0dbab34ecc164313c57dd1e3fc58c8645c

          SHA256

          6b0431ac3495847232adecf728d0c745fa9500fb200f5d8ebd5b314e736dd0e3

          SHA512

          708a7092b49e7849d44bbac175f4142f6dec6f3367f730370a7203fdada6e70322249b96887f6fbfeb50b4a6af739fe1a2b34428d57607a9ff37cd0b80d249df

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\Retrac Launcher.lnk
          Filesize

          2KB

          MD5

          a9272f8cbd542848392e5b201b0a3d9a

          SHA1

          cc2eaffd9b2850fb955d43e4885201c29df124bd

          SHA256

          b62e66008c1366effe469f2e197195dd8866a6ddeb7c8a792664df6ff56032ea

          SHA512

          c3a1b9018b04e895d29d3083df44bae0c26dec91821cec0b1de4ce4a61ffe378e26923828b7e814181bab677fc9fa7e6b1bfc35d51e2e38a41d2f6ab48c26d3a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          26c43b4dda4fa1de37f88ae7cc74e5ca

          SHA1

          d514451ab783ec084c1f4531ede62a3aa0caa701

          SHA256

          129414db9dd1f919ae5c447803230029d4e6e5989c72a54ac089332418c2d7f9

          SHA512

          14c9da6d6c04efce0c69d55c30d1bbb89772f7131154e17eaac08bafc0c6aae3e006c3d082a4f90596c3fa17942a859a773f2ee7d7b3301beb0fd08cddc7880d

          Download Submit

        • C:\Windows\Installer\f76d46f.msi
          Filesize

          6.6MB

          MD5

          79a3ef34fb61355df68b7931c56f08f5

          SHA1

          f945151e501116aa5d2fbe3698cd55ff9b766691

          SHA256

          e54675fdcd9d66f78f122b7dd4b61f2acd77951dcdd32914af8ace2ff71fd18c

          SHA512

          72c0e71202b50874a6200953e20adcd4b5b0299921172ab1185565fe57490b0073789e1528ebf1de5a7f2922b49b21a2c360f5aaaa455596f2f4fecfbad52f57

          Download Submit

        • C:\Windows\Installer\{7DD522F6-E5CD-4B2E-9A9D-A445D8FF8695}\ProductIcon
          Filesize

          92KB

          MD5

          b57f2765879042b033b21c525c289d80

          SHA1

          57e306c6336fb5c177a495d1058676dd725ec82e

          SHA256

          b9f884956c9d614cce40b8e362f814c279ac9c93bbfba75601587bcd6b7cd117

          SHA512

          80a1b49041acf176cb488be453b272e5290dca5fc912f658b03ad4b51e635f08876e1d3a00e47f6018a5b0f60b43a28687df378c79f240e4342394545355beaf

          Download Submit

        • \Program Files\Retrac Launcher\Retrac Launcher.exe
          Filesize

          12.7MB

          MD5

          8a411f7637a57f78d46eeb31847a5d18

          SHA1

          e177907ad513d2e2ccbc56d46cf2ad9bacd263f4

          SHA256

          3a4e19039b443e73f9247b42f7780552af52dd647bbf6a9010a2e58fde4c33b1

          SHA512

          3e6339652efd8b41671fcc29e9fd36696d17b3a9fce8795bfd1790b0a1c95fa4f3e41af86ed54e5387d437c2471837694e4188ea3ed56dea3d863b320daa3cb5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MSIB4BF.tmp
          Filesize

          113KB

          MD5

          4fdd16752561cf585fed1506914d73e0

          SHA1

          f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

          SHA256

          aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

          SHA512

          3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

          Download Submit

        • memory/708-43-0x000000001B640000-0x000000001B922000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/708-44-0x0000000001E20000-0x0000000001E28000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1752-116-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1752-117-0x0000000001E00000-0x0000000001E08000-memory.dmp

          Filesize

          32KB

          Download