Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 10:57

General

  • Target

    singna1 Setup.msi

  • Size

    116.9MB

  • MD5

    9edc888dc7c2c4f6ff40d0e8172bf88e

  • SHA1

    c60cefc3d1fbcbfe6907493e0f086e646e0090b5

  • SHA256

    12ec13d772e8db3a31c362bd1f076c4c2ed1bf92c81c1d383b4e35f4792360bf

  • SHA512

    a70e0fa4bb2f4d1b1ff2ee8cc6e095d5aeceee4d690eacb64878ef5921796efa0b7430d226ebfc962c98d0d79a11ec689852ff2dcb9d1b04fc2401fe5f58bb02

  • SSDEEP

    3145728:sAyaTc1yTiurTro0ep+mOgm6R9pbo8anCqx1:lac+uPNep+9gm6R9pbo7/x1

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\singna1 Setup.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2896
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C147969FA8852474FCF1854D5E3EDCD0 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2972
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD4EE90EDEB729F7275C18E93381DC5E
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Program Files (x86)\singnal Setup\singnal Setup\1.exe
        "C:\Program Files (x86)\singnal Setup\singnal Setup\1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\Mylnk\dick.lnk" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1976
      • C:\Users\Public\Videos\bin.exe
        C:\Users\Public\Videos\bin.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:860
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2728
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "00000000000004D0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1192
    • C:\hanqgd\Agghosts.exe
      "C:\hanqgd\Agghosts.exe" 67
      1⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f783bab.rbs

      Filesize

      7KB

      MD5

      c4e3a80b1672ac57000af9ef8be0867a

      SHA1

      37ec2ce03d36e23ffdd135073e25223aa0b0131d

      SHA256

      17e82726bfef6e3a2529647adf2094ce2ccaf1f83107310d6bc2e65df94552cf

      SHA512

      1115514f90a70fcf896ac15b951ec4672cc5b2298f5590caf6b1719db0ff0c16ebb715dd01600e9d4ccfbe47cefa7225bd753e60476ceaddb4005ba281673113

    • C:\Program Files (x86)\singnal Setup\singnal Setup\Ensup.log

      Filesize

      4.9MB

      MD5

      afe79f54c977f579adc9f79189b5af18

      SHA1

      8eb9732d6e5fa77360f3ebf9a968aef274d79bf7

      SHA256

      192a09caaf9cb8e7c2fc8210b4da61f8362dd6b2fba13d2f3db5a9163ae8a7dc

      SHA512

      85666f46b53ab4194fc1274ff0472e68144767379762ab7ec760b0ec30b87ad88521de9772c558c115df0da46cec47b5f052648c26f865fb7b149b782a393963

    • C:\Program Files (x86)\singnal Setup\singnal Setup\ccc.dll

      Filesize

      1.8MB

      MD5

      2ca7451a052dc5486d357f272f53b37c

      SHA1

      aa0690c0fbd9f987004ec3966a073db993cd6704

      SHA256

      cfa90d91780cceb87de4b2c138bb3f27b39975ab93385ae439ec5bb4c161b185

      SHA512

      422ecb1b621e621adf8a4bdef96bafdeefb94a46cb120a2af018259dfbd981684e1d02909aa242b897a47a7411d73df68bc1391b0de39d66a5741b616d93ab7c

    • C:\Users\Admin\AppData\Local\Temp\MSIC18B.tmp

      Filesize

      550KB

      MD5

      bda991d64e27606ac1d3abb659a0b33b

      SHA1

      a87ee1430f86effa5488ae654704c40aca3424c6

      SHA256

      ffea8222126b77f8da93e27edbadeb8b97fb023ef0d6a51522c35688f66283ca

      SHA512

      94fe1eadd4b4325fc1a8c769180c6ecf92e2dbf9f8262d6746fada603929977f3d40100ba84cffb4074c6900a2b2d307355e6a5116e6f16d9d3173fa17ad461f

    • C:\hanqgd\1.lnk

      Filesize

      1KB

      MD5

      4714b8fd760072cb8ba2c795bcd54b99

      SHA1

      385a49127225a0e826b8e5ca1a9fc11565911c6e

      SHA256

      6b1433f1569e524a37b029b2e77c824c988c645a18074e865c5b6881ece6fdca

      SHA512

      9e6bac25de1cb751ac17fd7f1a9f074ded0427c7d23a945f655b2f0a7f8be81b296662b57f4a90bcce7b86a53c7c48ace9213d16f5ccc16c5fb92518ea4dae20

    • C:\hanqgd\Ensup.log

      Filesize

      218KB

      MD5

      6ec2872e2563c09e8425b2d0887ec806

      SHA1

      81777bf63738f790d085648f3410c0e3c0e21988

      SHA256

      faceea96b369b2d302e6523614df2b6f68456b60b1aa72e2a230d65ab8289cc8

      SHA512

      5c6929022ebe56c7ac3256b9b8e3abfd3cae4b8058a74f3d7dd72cc2b195f86176dbf71e95a3eeffeabf80d603bb5530ba9cd79e6d21c5941d65682b16f46362

    • \Users\Admin\AppData\Local\Temp\nsu588D.tmp\System.dll

      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • \hanqgd\Agghosts.exe

      Filesize

      111KB

      MD5

      a9b40e0b76aa5a292cb6052c6c2fd81d

      SHA1

      e15bba9e662ef45350720218617d563620c76823

      SHA256

      f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

      SHA512

      ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    • \hanqgd\vcruntime140.dll

      Filesize

      77KB

      MD5

      f107a3c7371c4543bd3908ba729dd2db

      SHA1

      af8e7e8f446de74db2f31d532e46eab8bbf41e0a

      SHA256

      00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

      SHA512

      fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    • memory/1872-73-0x0000000010000000-0x0000000010022000-memory.dmp

      Filesize

      136KB

    • memory/1872-117-0x00000000009F0000-0x0000000000A28000-memory.dmp

      Filesize

      224KB

    • memory/1872-118-0x00000000009F0000-0x0000000000A28000-memory.dmp

      Filesize

      224KB

    • memory/1872-119-0x00000000009F0000-0x0000000000A28000-memory.dmp

      Filesize

      224KB

    • memory/1872-120-0x00000000009F0000-0x0000000000A28000-memory.dmp

      Filesize

      224KB

    • memory/3056-66-0x0000000000890000-0x0000000000892000-memory.dmp

      Filesize

      8KB

    • memory/3056-43-0x0000000010000000-0x00000000102A5000-memory.dmp

      Filesize

      2.6MB