Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

Wallet.msi

windows7-x64

6

Wallet.msi

windows10-1703-x64

6

Wallet.msi

windows10-2004-x64

6

Wallet.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/08/2024, 20:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wallet.msi

  • Size

    1.6MB

  • MD5

    232855725fdfa00b59e7c0066942b7ff

  • SHA1

    f08533026efd8080a83343efcd88521a4b5068fa

  • SHA256

    db6132529852ea5707bfdd46195ac03e589eeb59ae12ac54e170b50a4ae0b3e6

  • SHA512

    3cb4acc32627f46c89061e0ef7f530c1d780d29d8a4dd67ee6ad7dbfb0e58406da490c7700aafdde63d7af61ac536b5daca8af69dc736e1cff4226f03c48bc2d

  • SSDEEP

    49152:pWJ3+JA3iD1Vwt0Cay8NwXKO15sUXOwz2oTw/B:pWJ8A3Ost0CfZXT1ZO2w/

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Wallet.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3080
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5C11361618A8CF670B8741D39493A8A1
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2408
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1060
        3⤵
        • Program crash
        PID:1556

Network

  • flag-us
    DNS
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.179.89.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    dns
    118 B
     182 B
     1
    1

    DNS Request

    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    8.179.89.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    8.179.89.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI6FA2.tmp
    Filesize

    1.5MB

    MD5

    e93fc74b28319ecb5ca6fd8756fcbe33

    SHA1

    781b74da8a681a41b4e8a1a300f8f5dcf2088789

    SHA256

    664a6383e229551f56429d648aa81791174579c6918ed373e206087a859e3951

    SHA512

    899e7b81645778f6bf57c0195e4e06f74f62494287f1c5e7ee96b9317a7768d10e5c62dccaab426735d528d49ad6cf6d26993ae2aa5e4cd6bb5caba96c232e53

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.