Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
MSIAfterburnerSetup.zip
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MSIAfterburnerSetup.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
MSIAfterburnerSetup465.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
MSIAfterburnerSetup465.exe
Resource
win10v2004-20240802-en
General
-
Target
MSIAfterburnerSetup465.exe
-
Size
56.0MB
-
MD5
17acf57e921224883fcfeea2e010f690
-
SHA1
a2010ac597dff8eb54b4f62dbd5447ee3908e748
-
SHA256
623b0f1f518e7c03e1d540415bdd159e2d03fa019d76e2024f6e6ec7489a6266
-
SHA512
709b11b4071c750914a7a7d2013576950cdf7f769e3a7ea75b458f3cdb4f8e0ed4d5c424bb8bffa388d3fbcf97df60b2529fed822ddf3911cf5276a64ff1f2c6
-
SSDEEP
1572864:i3Mu6Bw/3Zh8xIc+9q4qBn8pzpzhaaXMxAAPJm:icn+RCxI8/Bn84XyAPJm
Malware Config
Signatures
-
pid Process 2944 powershell.exe 1600 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIAfterburnerSetup465.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2944 powershell.exe 1600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1880 wrote to memory of 2880 1880 MSIAfterburnerSetup465.exe 31 PID 1880 wrote to memory of 2880 1880 MSIAfterburnerSetup465.exe 31 PID 1880 wrote to memory of 2880 1880 MSIAfterburnerSetup465.exe 31 PID 1880 wrote to memory of 2880 1880 MSIAfterburnerSetup465.exe 31 PID 2880 wrote to memory of 2944 2880 cmd.exe 33 PID 2880 wrote to memory of 2944 2880 cmd.exe 33 PID 2880 wrote to memory of 2944 2880 cmd.exe 33 PID 2880 wrote to memory of 2944 2880 cmd.exe 33 PID 1880 wrote to memory of 3060 1880 MSIAfterburnerSetup465.exe 34 PID 1880 wrote to memory of 3060 1880 MSIAfterburnerSetup465.exe 34 PID 1880 wrote to memory of 3060 1880 MSIAfterburnerSetup465.exe 34 PID 1880 wrote to memory of 3060 1880 MSIAfterburnerSetup465.exe 34 PID 3060 wrote to memory of 1600 3060 cmd.exe 36 PID 3060 wrote to memory of 1600 3060 cmd.exe 36 PID 3060 wrote to memory of 1600 3060 cmd.exe 36 PID 3060 wrote to memory of 1600 3060 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSIAfterburnerSetup465.exe"C:\Users\Admin\AppData\Local\Temp\MSIAfterburnerSetup465.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Expand-Archive -LiteralPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\77B8B2E9-593F-45F3-A32E-778730B62B6B\MSIAfterburnerSetup.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\77B8B2E9-593F-45F3-A32E-778730B62B6B\MSIAfterburnerSetup\' -Force2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Expand-Archive -LiteralPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\77B8B2E9-593F-45F3-A32E-778730B62B6B\MSIAfterburnerSetup.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\77B8B2E9-593F-45F3-A32E-778730B62B6B\MSIAfterburnerSetup\' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Expand-Archive -LiteralPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\18256D11-615C-4EAC-8E8E-6D80FEF9218D\N360GamerDownloader.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\18256D11-615C-4EAC-8E8E-6D80FEF9218D\N360GamerDownloader\' -Force2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Expand-Archive -LiteralPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\18256D11-615C-4EAC-8E8E-6D80FEF9218D\N360GamerDownloader.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\MSI_Afterburner_Setup\File\18256D11-615C-4EAC-8E8E-6D80FEF9218D\N360GamerDownloader\' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD531645b895c4ab6185d101b432757c7eb
SHA1f660dfd68a1d29cf1d480259986c775634045690
SHA256ac8b9074d43fac4660a027aacc9a860f686fef16ffc3776ce7d26d14d95e9c89
SHA51258933b38d66d1629bbe05f22397f91eb9dae5a04199824f31f0f32ee340849421c6bc30d4b61a0b21e3a8f8c2b9cc856b8d8ab1d09cc714dac685f2a0adadf81