Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 14:25

General

  • Target

    GoogleChorme.msi

  • Size

    31.3MB

  • MD5

    46c0158715bf937ebbbd3f0f4160df53

  • SHA1

    4025bb5c7dab4c20f43e27ef59fb7b0d59f20b5e

  • SHA256

    03f9c6613c68094f94d2099b0f5b61afb7e308d70a19b3bc26a2c4d9a65a33f0

  • SHA512

    13a7e0d01d3a79fdd309a447ad130fe3597737dc001ed816f6541f60079b4ee6f36b4d7842fa8672eca94b693925baab6ddb8f84839ad5bf7f0eea3e72f18357

  • SSDEEP

    786432:NOGXRTW9sglw5UbThI9/tCSRwWpe4jbdQ6nF7z:NRaRw5UbdMFKcjbdQCd

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GoogleChorme.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2368
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADA5B6B243C1DB285C22CEA456ECC04E C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2692
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 71814C5FD049F3AA1BE9A715BADC81BB
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\Mylnk\dick.lnk" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2148
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2708
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000003C8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1824
    • C:\ptueis\Agghosts.exe
      "C:\ptueis\Agghosts.exe" 67
      1⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\SysWOW64\tracerpt.exe
        "C:\Windows\SysWOW64\tracerpt.exe"
        2⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
            PID:1764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f77626d.rbs

        Filesize

        8KB

        MD5

        7eeeb7ceaeae4baf4c9c01f4be9f83de

        SHA1

        1b7444aa7e83087e8c78d94e91fdb2cfddb4b261

        SHA256

        769f6d5811c6f80619144deb90e82310f0ecf19ff21694ee831418af6da3d474

        SHA512

        598fdbeea6e571918fee042ee6f415fbda36bd4cad85fc9fd7483cb426d98a72ea468732fe45c2154bc95f7e22ce4ab7a325db5bf7dc2c535492d86895fe63c7

      • C:\Program Files (x86)\Chrome Setup\Chrome Setup\Ensup.log

        Filesize

        5.2MB

        MD5

        1d7cc3187499f8dadc7905cc0d136db6

        SHA1

        f929e95efd9a5deb9ab1c2774ef53697db78fc0f

        SHA256

        6db9f0016f4908dfe4ee908b8e6e46ccac74bb725b43191ee85b4a3d2c41daed

        SHA512

        745771ee686e79dd9452d790a0d279df85e345b3bacc6d362e30f26ee6f7496e63de05b9dfdf8280865e869b5462019e3ac2a8d9d9a33dd8c4cc7802023ae6c8

      • C:\Program Files (x86)\Chrome Setup\Chrome Setup\MFCLibrary1.dll

        Filesize

        1.8MB

        MD5

        3c3876000b72164b046c783937ebbf60

        SHA1

        1ab7a188590ccd11abc0ba7b55f1c495ca0e6607

        SHA256

        4294b39d25fc61b0163ea3bcb56de6b4f5fe423d50186686661e364cdec4fb9a

        SHA512

        696181bce27076e4e442f36a129dc35b1fd095a49c2576914fab48f572c735d08724f124f7647360030b54e6d3809c89e8c275d31c89ff5edc4d2a7c9242d6e5

      • C:\Users\Admin\AppData\Local\Temp\MSI2E8F.tmp

        Filesize

        550KB

        MD5

        bda991d64e27606ac1d3abb659a0b33b

        SHA1

        a87ee1430f86effa5488ae654704c40aca3424c6

        SHA256

        ffea8222126b77f8da93e27edbadeb8b97fb023ef0d6a51522c35688f66283ca

        SHA512

        94fe1eadd4b4325fc1a8c769180c6ecf92e2dbf9f8262d6746fada603929977f3d40100ba84cffb4074c6900a2b2d307355e6a5116e6f16d9d3173fa17ad461f

      • C:\Windows\Installer\f77626b.msi

        Filesize

        31.3MB

        MD5

        46c0158715bf937ebbbd3f0f4160df53

        SHA1

        4025bb5c7dab4c20f43e27ef59fb7b0d59f20b5e

        SHA256

        03f9c6613c68094f94d2099b0f5b61afb7e308d70a19b3bc26a2c4d9a65a33f0

        SHA512

        13a7e0d01d3a79fdd309a447ad130fe3597737dc001ed816f6541f60079b4ee6f36b4d7842fa8672eca94b693925baab6ddb8f84839ad5bf7f0eea3e72f18357

      • C:\ptueis\1.lnk

        Filesize

        1KB

        MD5

        4714b8fd760072cb8ba2c795bcd54b99

        SHA1

        385a49127225a0e826b8e5ca1a9fc11565911c6e

        SHA256

        6b1433f1569e524a37b029b2e77c824c988c645a18074e865c5b6881ece6fdca

        SHA512

        9e6bac25de1cb751ac17fd7f1a9f074ded0427c7d23a945f655b2f0a7f8be81b296662b57f4a90bcce7b86a53c7c48ace9213d16f5ccc16c5fb92518ea4dae20

      • C:\ptueis\Ensup.log

        Filesize

        218KB

        MD5

        0ea5c7021018a45083ea4eb31f0fc34d

        SHA1

        d636419a870e4774feb272b73e5c9d57dae9485e

        SHA256

        b80d53a3d3ae6db48a7b1835aedb52e85291f35d55b61aa363994217b890dc8a

        SHA512

        a26e6461361b84da71396bdf8227c0d70f84589b92dd33c6549e1e035c4f5cfa778b4ca22b9ebfc380bd593a43260b53cb4b8f6ccb66381bdc64deb7755f9d79

      • C:\ptueis\VCRUNTIME140.dll

        Filesize

        77KB

        MD5

        f107a3c7371c4543bd3908ba729dd2db

        SHA1

        af8e7e8f446de74db2f31d532e46eab8bbf41e0a

        SHA256

        00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

        SHA512

        fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

      • \ptueis\Agghosts.exe

        Filesize

        111KB

        MD5

        a9b40e0b76aa5a292cb6052c6c2fd81d

        SHA1

        e15bba9e662ef45350720218617d563620c76823

        SHA256

        f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

        SHA512

        ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

      • memory/1008-95-0x0000000000080000-0x00000000000B2000-memory.dmp

        Filesize

        200KB

      • memory/1008-97-0x0000000000530000-0x0000000000568000-memory.dmp

        Filesize

        224KB

      • memory/1008-99-0x0000000000530000-0x0000000000568000-memory.dmp

        Filesize

        224KB

      • memory/1008-98-0x0000000000530000-0x0000000000568000-memory.dmp

        Filesize

        224KB

      • memory/1008-106-0x0000000000530000-0x0000000000568000-memory.dmp

        Filesize

        224KB

      • memory/1008-105-0x0000000000530000-0x0000000000568000-memory.dmp

        Filesize

        224KB

      • memory/1092-61-0x0000000010000000-0x0000000010022000-memory.dmp

        Filesize

        136KB

      • memory/1764-100-0x00000000000C0000-0x00000000000C1000-memory.dmp

        Filesize

        4KB

      • memory/2792-54-0x00000000006D0000-0x00000000006D2000-memory.dmp

        Filesize

        8KB

      • memory/2792-36-0x0000000010000000-0x00000000102C3000-memory.dmp

        Filesize

        2.8MB