Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

playit-win...ed.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    playit-windows-x86_64-signed.msi

  • Size

    2.1MB

  • MD5

    818632a790c6f405474d29e66bd9bcec

  • SHA1

    0140d14851f2a16e37fe4a3b1c126d4b2cead3b1

  • SHA256

    91ff5e398d2c7b7c04e7ddfd58936246839f27d8db7b7474d55e1b38a7b634d0

  • SHA512

    2285fa657cb372e571d3487d68be9b534b8308cfd086e8a0499945f604339a9d71e4103494d41eaed783bb1ff986307ef9e18dfce67c5e53d4b0b5dd53327b04

  • SSDEEP

    49152:2+vdFMXhTj0et/HJQ+rd7OYJCYE312NXNdmVci2wy9SIT7ZGjYTytJPr+VuOSAEq:2+rYxQ+rxOZ12NbmVci2wy9SIT7ZGjYB

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\playit-windows-x86_64-signed.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:860
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1944
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Program Files\playit_gg\bin\playit.exe
      "C:\Program Files\playit_gg\bin\playit.exe"
      1⤵
      • Executes dropped EXE
      PID:3064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57e511.rbs
      Filesize

      9KB

      MD5

      3c8dce2f3278f3f80b7a9623803ea113

      SHA1

      394be01c4ccf784bda12b5de7c66149047a26ce1

      SHA256

      34f535969b603d4864cdddb497c65ea9ddd830a9d25627ce0db3240ace6397b2

      SHA512

      639459704ea805ea2c301c8fabd2341c58ead4f32c2e7f3e4bf395c9f0db6729ac6cd6e95b921b5fb48cad6f66bfa505e490aa1e1a061fe6985b95d0244cb5a5

      Download Submit

    • C:\Program Files\playit_gg\bin\playit.exe
      Filesize

      3.8MB

      MD5

      8af54595d5bdfec004a39451268573b2

      SHA1

      f03fea37148bba2ef7a2d57286a1d85a463287b0

      SHA256

      f87212b62acb8d8f3b1a0ccc1b02d7af44ba09c7d6a8bf3c62bb7ec03f736166

      SHA512

      2473aab6ed691483ca5ad52530c648139d20cc5d55875848adfc92fdb415521031f947a80c5c1cb07316ee904b4651ce3f18cc540010d067dce561f889931393

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
      Filesize

      63KB

      MD5

      44dbe3aa02117bdede435e83b2e215ad

      SHA1

      2c6a5a8389b76a6f45879c3a3475253084ad5eb5

      SHA256

      c1eea21d2024ddb7738c29402fb050c7231ecc56fb120852a9fc05c964dc264d

      SHA512

      f8c6d74c8d9e461734c2ae1e90a5e6e90fed1c64917fbe11ec5f56cb57756462758caed757dbf3442a6f6dbe394473b23dface88589511333e8fafc2736d185e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
      Filesize

      727B

      MD5

      7a3b8457313a521e0d44f91765a4e041

      SHA1

      4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

      SHA256

      2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

      SHA512

      7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
      Filesize

      314B

      MD5

      dba7ed8860974e3bbbf689823733459d

      SHA1

      a64ef8419b0cd1e6d7ed715eb39f476ac362b831

      SHA256

      874d6e539cc78d3d8a2310e714962e382c46414486c4b3558aaedf44d125f88c

      SHA512

      6ec750202a8624f66c110e9acd3808727bc5daef93aa439de5570922dfe767c8bf771b3f9bdee4538230b9a93f3b928c4b8ad175f9dada0c26081e4c1f5fbf91

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
      Filesize

      478B

      MD5

      81517578d2c1f5aa1d8cccba2f828318

      SHA1

      f67d7e7299a8d24a4efaac85ba288c378c193f33

      SHA256

      7736a6331e571cb6e189128795ec4019c82ded4309e3bb2aea00fdaf65a9ce74

      SHA512

      fb9357c3b9a7868cb74bf98307fe7fc2e526c0d4d58f029a27e9464ea19cc67ca6384e3273d034748cac7ac6a534e78563f3bba068af08dfae37d589168d0ba8

      Download Submit

    • C:\Windows\Installer\e57e510.msi
      Filesize

      2.1MB

      MD5

      818632a790c6f405474d29e66bd9bcec

      SHA1

      0140d14851f2a16e37fe4a3b1c126d4b2cead3b1

      SHA256

      91ff5e398d2c7b7c04e7ddfd58936246839f27d8db7b7474d55e1b38a7b634d0

      SHA512

      2285fa657cb372e571d3487d68be9b534b8308cfd086e8a0499945f604339a9d71e4103494d41eaed783bb1ff986307ef9e18dfce67c5e53d4b0b5dd53327b04

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      49255eb6ae8a975fc1aa9a81f1e06a3a

      SHA1

      23b3fc84b7f8be1d0e7ff4a712cbffbc371869ec

      SHA256

      f7cfec6381369383b2c66bf1c440bbc8ce89a5688487417465a263afa5075252

      SHA512

      c354e6997e469c905c4795be88a665ef32cab1dcd6185e72213811929004406c9ca35ceaa3b5c70cb6d71c5d88fc6f0b3072c9f593adb32de08a847f5aabc911

      Download Submit

    • \??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e83ffa53-eafc-48f1-9e35-ddad80127965}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      d7686fadba20191931cbd0773ea2954f

      SHA1

      02ad092bbabde3a9675cf77596c7d53934d16772

      SHA256

      336b5fdf8f2d2c6837ef278d8d29845c5aef1e87804bd9ed911dbb4fa5551051

      SHA512

      67b0191e820d91a95818a4c4cf6128536f12659fe445b2c81bbd8450c0d91bb3a028ed593d9b5f42ff9226472e743e4716e711ed656a03a76a208c3bf755c204

      Download Submit