Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Retrac.Lau...US.msi

windows7-x64

6

Retrac.Lau...US.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    29s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Retrac.Launcher_1.0.11_x64_en-US.msi

  • Size

    6.5MB

  • MD5

    4eb0f591d4635eef867eba6b30519482

  • SHA1

    ffbdf0b4e300686d4c637ec9ae1e93f5fe31d1e1

  • SHA256

    d1861ff47ec977e9ce72cbeab98d2838f5981adb6ee8800ef41c59ab2bcda26b

  • SHA512

    4f9d7827508e8491af2df7e3adcc9da47871546284381e9873283c00a81a98a0aa4cc60cfc3a2e61247ec13f1de08c72818096b56613be569b83fb1e6d56b4ee

  • SSDEEP

    196608:Ky/Pz3ZHXtF+An59GSwXYUNtJo47IE4xLwe:KAbJtlu71jJo/Lwe

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Retrac.Launcher_1.0.11_x64_en-US.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2416
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:264
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7D2046B2A547DC17BA49D98C039927DC C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1648
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2764
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000534" "000000000000053C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\MSI675B.tmp
      Filesize

      113KB

      MD5

      4fdd16752561cf585fed1506914d73e0

      SHA1

      f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

      SHA256

      aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

      SHA512

      3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

      Download Submit