Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 04:28

General

  • Target

    WPS Office_104693057_401535.msi

  • Size

    15.4MB

  • MD5

    ca9086b9f4e1cbfae86204a0e2cbea07

  • SHA1

    4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15

  • SHA256

    21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2

  • SHA512

    b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984

  • SSDEEP

    393216:WAxJ3qt2MkEOEsQ+D8PjbtTBQqc4dq47aJ7IKw9M38hoTjZ5Uu0H:WU3o2NNjgrpFQq3dd7aJkvFhoTrV0H

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\WPS Office_104693057_401535.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2084
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5850FAD15B224595719F4638E5E176D M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe
        "C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe" x "C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH" -o"C:\Program Files\ImproveScoutGenerous\" -pNOcFSwDtYEhVUsSNDuRc -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:556
      • C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe
        "C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe" -number 237 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2812
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2960
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2704
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "0000000000000568"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f771dfe.rbs

    Filesize

    7KB

    MD5

    384832ab818d9c474eab79afaa4353e0

    SHA1

    00258b431aaf7e6cca3b4a4c7ddc3482811abf68

    SHA256

    963a6cf59b3d8d3db09c73dd4ed181cb8f24dc9bfc6374f8235861b0d69013a6

    SHA512

    d2427316ef54a2e6102397c2bea7cf91760fbf52f3f05255eef95784904e5ae524edc275f32666885e2d89e3a11a05ecfb163c8b21f09da106e89a0fc13b5b12

  • C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH

    Filesize

    1.7MB

    MD5

    b52875621f2ed8ba730e1baa322994ac

    SHA1

    2ddb59cc65ee3297eb0a959f868633c36d8bdab6

    SHA256

    ae9b0f8b4d037535b0682905c7082607b9bd730d2ac549c1f86f36ad459e06f8

    SHA512

    2958f18969b1ce08adce13d6b0b249eacb627099387a9fe60472f8a4ef78ee37f4c17c77a2fea62f2b59a80724cd46dd6a74fd1c994eabd8a8f6f36f873c524d

  • C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe

    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

  • C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe

    Filesize

    2.8MB

    MD5

    8e355304eb0c0a6c787c158c6097d35d

    SHA1

    4978f2462040aee13f3d79e1f1dab5b4d4e8feb3

    SHA256

    ecf62496c9c74d3fddbd737964629a8cad0f42968c6f6c88652ca9f9b9bc9d3f

    SHA512

    9b3ab911e2e5002bea4877628dc4dd14e99ab8a5ece51fd76d5a65f0f39fbd7812390ebc328b857422d0bcde571385c9e6ab85d1a9214d7124e4f3d100490542

  • C:\Windows\Installer\f771dfc.msi

    Filesize

    15.4MB

    MD5

    ca9086b9f4e1cbfae86204a0e2cbea07

    SHA1

    4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15

    SHA256

    21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2

    SHA512

    b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984

  • \Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe

    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

  • memory/1476-12-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB

  • memory/2812-29-0x0000000000790000-0x00000000007BA000-memory.dmp

    Filesize

    168KB

  • memory/2960-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB