Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 10:57
Static task
static1
Behavioral task
behavioral1
Sample
singna1 Setup.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
singna1 Setup.msi
Resource
win10v2004-20240802-en
General
-
Target
singna1 Setup.msi
-
Size
116.9MB
-
MD5
9edc888dc7c2c4f6ff40d0e8172bf88e
-
SHA1
c60cefc3d1fbcbfe6907493e0f086e646e0090b5
-
SHA256
12ec13d772e8db3a31c362bd1f076c4c2ed1bf92c81c1d383b4e35f4792360bf
-
SHA512
a70e0fa4bb2f4d1b1ff2ee8cc6e095d5aeceee4d690eacb64878ef5921796efa0b7430d226ebfc962c98d0d79a11ec689852ff2dcb9d1b04fc2401fe5f58bb02
-
SSDEEP
3145728:sAyaTc1yTiurTro0ep+mOgm6R9pbo8anCqx1:lac+uPNep+9gm6R9pbo7/x1
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\dick.lnk" reg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: Agghosts.exe File opened (read-only) \??\S: Agghosts.exe File opened (read-only) \??\N: Agghosts.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: Agghosts.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: Agghosts.exe File opened (read-only) \??\M: Agghosts.exe File opened (read-only) \??\U: Agghosts.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: Agghosts.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: Agghosts.exe File opened (read-only) \??\T: Agghosts.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: Agghosts.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: Agghosts.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: Agghosts.exe File opened (read-only) \??\V: Agghosts.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: Agghosts.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: Agghosts.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: Agghosts.exe File opened (read-only) \??\Y: Agghosts.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: Agghosts.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\singnal Setup\singnal Setup\1.exe msiexec.exe File created C:\Program Files (x86)\singnal Setup\singnal Setup\Ensup.log msiexec.exe File created C:\Program Files (x86)\singnal Setup\singnal Setup\ccc.dll msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f783ba9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3DFA.tmp msiexec.exe File created C:\Windows\Installer\f783baa.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI405B.tmp msiexec.exe File opened for modification C:\Windows\Installer\f783baa.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f783ba9.msi msiexec.exe File created C:\Windows\Installer\f783bac.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 3 IoCs
pid Process 1960 1.exe 1872 Agghosts.exe 860 bin.exe -
Loads dropped DLL 16 IoCs
pid Process 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 1960 1.exe 3056 MsiExec.exe 1872 Agghosts.exe 1872 Agghosts.exe 3056 MsiExec.exe 860 bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agghosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Modifies registry class 23 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\Language = "4100" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A738B6FCA72CD5448F3679C96C13789 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A738B6FCA72CD5448F3679C96C13789\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\ProductName = "singnal Setup" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\PackageCode = "DC7A1798013DA6E49BF69AF7D8EEE883" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96DAC406EDD99B04BAAACFCE7762DA59 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96DAC406EDD99B04BAAACFCE7762DA59\1A738B6FCA72CD5448F3679C96C13789 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\PackageName = "singna1 Setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A738B6FCA72CD5448F3679C96C13789\SourceList\Media\DiskPrompt = "[1]" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2204 msiexec.exe 2204 msiexec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe 1872 Agghosts.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2896 msiexec.exe Token: SeIncreaseQuotaPrivilege 2896 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeSecurityPrivilege 2204 msiexec.exe Token: SeCreateTokenPrivilege 2896 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2896 msiexec.exe Token: SeLockMemoryPrivilege 2896 msiexec.exe Token: SeIncreaseQuotaPrivilege 2896 msiexec.exe Token: SeMachineAccountPrivilege 2896 msiexec.exe Token: SeTcbPrivilege 2896 msiexec.exe Token: SeSecurityPrivilege 2896 msiexec.exe Token: SeTakeOwnershipPrivilege 2896 msiexec.exe Token: SeLoadDriverPrivilege 2896 msiexec.exe Token: SeSystemProfilePrivilege 2896 msiexec.exe Token: SeSystemtimePrivilege 2896 msiexec.exe Token: SeProfSingleProcessPrivilege 2896 msiexec.exe Token: SeIncBasePriorityPrivilege 2896 msiexec.exe Token: SeCreatePagefilePrivilege 2896 msiexec.exe Token: SeCreatePermanentPrivilege 2896 msiexec.exe Token: SeBackupPrivilege 2896 msiexec.exe Token: SeRestorePrivilege 2896 msiexec.exe Token: SeShutdownPrivilege 2896 msiexec.exe Token: SeDebugPrivilege 2896 msiexec.exe Token: SeAuditPrivilege 2896 msiexec.exe Token: SeSystemEnvironmentPrivilege 2896 msiexec.exe Token: SeChangeNotifyPrivilege 2896 msiexec.exe Token: SeRemoteShutdownPrivilege 2896 msiexec.exe Token: SeUndockPrivilege 2896 msiexec.exe Token: SeSyncAgentPrivilege 2896 msiexec.exe Token: SeEnableDelegationPrivilege 2896 msiexec.exe Token: SeManageVolumePrivilege 2896 msiexec.exe Token: SeImpersonatePrivilege 2896 msiexec.exe Token: SeCreateGlobalPrivilege 2896 msiexec.exe Token: SeCreateTokenPrivilege 2896 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2896 msiexec.exe Token: SeLockMemoryPrivilege 2896 msiexec.exe Token: SeIncreaseQuotaPrivilege 2896 msiexec.exe Token: SeMachineAccountPrivilege 2896 msiexec.exe Token: SeTcbPrivilege 2896 msiexec.exe Token: SeSecurityPrivilege 2896 msiexec.exe Token: SeTakeOwnershipPrivilege 2896 msiexec.exe Token: SeLoadDriverPrivilege 2896 msiexec.exe Token: SeSystemProfilePrivilege 2896 msiexec.exe Token: SeSystemtimePrivilege 2896 msiexec.exe Token: SeProfSingleProcessPrivilege 2896 msiexec.exe Token: SeIncBasePriorityPrivilege 2896 msiexec.exe Token: SeCreatePagefilePrivilege 2896 msiexec.exe Token: SeCreatePermanentPrivilege 2896 msiexec.exe Token: SeBackupPrivilege 2896 msiexec.exe Token: SeRestorePrivilege 2896 msiexec.exe Token: SeShutdownPrivilege 2896 msiexec.exe Token: SeDebugPrivilege 2896 msiexec.exe Token: SeAuditPrivilege 2896 msiexec.exe Token: SeSystemEnvironmentPrivilege 2896 msiexec.exe Token: SeChangeNotifyPrivilege 2896 msiexec.exe Token: SeRemoteShutdownPrivilege 2896 msiexec.exe Token: SeUndockPrivilege 2896 msiexec.exe Token: SeSyncAgentPrivilege 2896 msiexec.exe Token: SeEnableDelegationPrivilege 2896 msiexec.exe Token: SeManageVolumePrivilege 2896 msiexec.exe Token: SeImpersonatePrivilege 2896 msiexec.exe Token: SeCreateGlobalPrivilege 2896 msiexec.exe Token: SeCreateTokenPrivilege 2896 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2896 msiexec.exe 2896 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3056 MsiExec.exe 1872 Agghosts.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 2972 2204 msiexec.exe 31 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 2204 wrote to memory of 3056 2204 msiexec.exe 35 PID 3056 wrote to memory of 1960 3056 MsiExec.exe 36 PID 3056 wrote to memory of 1960 3056 MsiExec.exe 36 PID 3056 wrote to memory of 1960 3056 MsiExec.exe 36 PID 3056 wrote to memory of 1960 3056 MsiExec.exe 36 PID 3056 wrote to memory of 1976 3056 MsiExec.exe 38 PID 3056 wrote to memory of 1976 3056 MsiExec.exe 38 PID 3056 wrote to memory of 1976 3056 MsiExec.exe 38 PID 3056 wrote to memory of 1976 3056 MsiExec.exe 38 PID 3056 wrote to memory of 860 3056 MsiExec.exe 40 PID 3056 wrote to memory of 860 3056 MsiExec.exe 40 PID 3056 wrote to memory of 860 3056 MsiExec.exe 40 PID 3056 wrote to memory of 860 3056 MsiExec.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\singna1 Setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2896
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C147969FA8852474FCF1854D5E3EDCD0 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD4EE90EDEB729F7275C18E93381DC5E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files (x86)\singnal Setup\singnal Setup\1.exe"C:\Program Files (x86)\singnal Setup\singnal Setup\1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\Mylnk\dick.lnk" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Users\Public\Videos\bin.exeC:\Users\Public\Videos\bin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:860
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2728
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "00000000000004D0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1192
-
C:\hanqgd\Agghosts.exe"C:\hanqgd\Agghosts.exe" 671⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c4e3a80b1672ac57000af9ef8be0867a
SHA137ec2ce03d36e23ffdd135073e25223aa0b0131d
SHA25617e82726bfef6e3a2529647adf2094ce2ccaf1f83107310d6bc2e65df94552cf
SHA5121115514f90a70fcf896ac15b951ec4672cc5b2298f5590caf6b1719db0ff0c16ebb715dd01600e9d4ccfbe47cefa7225bd753e60476ceaddb4005ba281673113
-
Filesize
4.9MB
MD5afe79f54c977f579adc9f79189b5af18
SHA18eb9732d6e5fa77360f3ebf9a968aef274d79bf7
SHA256192a09caaf9cb8e7c2fc8210b4da61f8362dd6b2fba13d2f3db5a9163ae8a7dc
SHA51285666f46b53ab4194fc1274ff0472e68144767379762ab7ec760b0ec30b87ad88521de9772c558c115df0da46cec47b5f052648c26f865fb7b149b782a393963
-
Filesize
1.8MB
MD52ca7451a052dc5486d357f272f53b37c
SHA1aa0690c0fbd9f987004ec3966a073db993cd6704
SHA256cfa90d91780cceb87de4b2c138bb3f27b39975ab93385ae439ec5bb4c161b185
SHA512422ecb1b621e621adf8a4bdef96bafdeefb94a46cb120a2af018259dfbd981684e1d02909aa242b897a47a7411d73df68bc1391b0de39d66a5741b616d93ab7c
-
Filesize
550KB
MD5bda991d64e27606ac1d3abb659a0b33b
SHA1a87ee1430f86effa5488ae654704c40aca3424c6
SHA256ffea8222126b77f8da93e27edbadeb8b97fb023ef0d6a51522c35688f66283ca
SHA51294fe1eadd4b4325fc1a8c769180c6ecf92e2dbf9f8262d6746fada603929977f3d40100ba84cffb4074c6900a2b2d307355e6a5116e6f16d9d3173fa17ad461f
-
Filesize
1KB
MD54714b8fd760072cb8ba2c795bcd54b99
SHA1385a49127225a0e826b8e5ca1a9fc11565911c6e
SHA2566b1433f1569e524a37b029b2e77c824c988c645a18074e865c5b6881ece6fdca
SHA5129e6bac25de1cb751ac17fd7f1a9f074ded0427c7d23a945f655b2f0a7f8be81b296662b57f4a90bcce7b86a53c7c48ace9213d16f5ccc16c5fb92518ea4dae20
-
Filesize
218KB
MD56ec2872e2563c09e8425b2d0887ec806
SHA181777bf63738f790d085648f3410c0e3c0e21988
SHA256faceea96b369b2d302e6523614df2b6f68456b60b1aa72e2a230d65ab8289cc8
SHA5125c6929022ebe56c7ac3256b9b8e3abfd3cae4b8058a74f3d7dd72cc2b195f86176dbf71e95a3eeffeabf80d603bb5530ba9cd79e6d21c5941d65682b16f46362
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
111KB
MD5a9b40e0b76aa5a292cb6052c6c2fd81d
SHA1e15bba9e662ef45350720218617d563620c76823
SHA256f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c
SHA512ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f
-
Filesize
77KB
MD5f107a3c7371c4543bd3908ba729dd2db
SHA1af8e7e8f446de74db2f31d532e46eab8bbf41e0a
SHA25600df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0
SHA512fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530