Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 19:10

General

  • Target

    VLC2.7.msi

  • Size

    14.0MB

  • MD5

    a1c5d32005ee62baa30dc993394aa17c

  • SHA1

    360dd1889252cc5c06386706f5d9f8f326f218db

  • SHA256

    49d8edfd8a93ede3e3087771d69b7e6be33f53dfb92ee1da9d82c09f2e0d3188

  • SHA512

    3ae8fcf6120e9c2a518b109c64996cea7d5b8f28df1e00c6e18a74b199d4f80d44e2c647fddb22b6b5ab3e24a495366be21d1a140521c00db35dd9e3480c4124

  • SSDEEP

    393216:sGS3skS0F5Ky7pfJY/+LXwwhCtZRZ5bz/ueWBem1f4V:sG8S0F5N7pfJu2XwwhYZRDbz/uFdp4V

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 7 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VLC2.7.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3764
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3388
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6A8996DC1238417FF778488E53871609 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe
        "C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe" x "C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA" -o"C:\Program Files\UpgradeWholesalerAgile\" -pDUaIQBEnpsKpUhGkYwoZ -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3632
      • C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe
        "C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 218 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3020
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2608
  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe
    "C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe" install
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:3724
  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe
    "C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:532
  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe
    "C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe
      "C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 116 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe
        "C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57ed9d.rbs

    Filesize

    7KB

    MD5

    e3961504893d64db7c0699c4514d4fea

    SHA1

    83855610f01d35fe00f651ae4634eed7389e86f2

    SHA256

    f5fbc44b203abd1bdaa0a34337a512c405a96392caf65321793e66ce41e4a617

    SHA512

    7072a519ce53da291a288ba2c9945461af8b48f3ac62b12f8ee510e6e6e494b9e82a05bcf5be484e9420e6481087a6325491c90a87c654750e303471cb490822

  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe

    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.wrapper.log

    Filesize

    268B

    MD5

    95da6fe2e4d2d29187afbdffcb5b07de

    SHA1

    ba574433c207ad0587349605314c246fd5bf84a3

    SHA256

    8cf8ac72f0fef95529764d6d8d892842cd56f53b8c842066d6989679eec99237

    SHA512

    1f66b3bfdce7b72bbb6e4b0cf831308fe8c9eda8aee4742d6a87c16cc4fdf0bdc4ee962ace8552208279a483bce5f12871b4806c93afe9d8932b0d1a21f4bcff

  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.wrapper.log

    Filesize

    489B

    MD5

    0df63241cb6b00cf465c7a99dc6c45cc

    SHA1

    bdfda69cf8564f471447ec9d2adeedb0882dc34e

    SHA256

    d35c9d605941cacfb76d7f9840bf069de0755f87045b39c3657331a71ba8535b

    SHA512

    668feec5985fe5b268ba32d767b1145e5c43070b78ae1fdf3d4f3199c410afa95bd44ccaf051708a8be900669c75c09be07b305ab58dc69ef508e8985e288e16

  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.wrapper.log

    Filesize

    592B

    MD5

    4cfdfa23e02c667871d121cdb68246ed

    SHA1

    f7730ef22ba9a854943ca6f9f4f27391246fbdf5

    SHA256

    7c81981dc101ee1e0e7bc5f4969ac3216450a4dedef8ab40e0031c2b7093660b

    SHA512

    69dbb9f5207249e8bd3685e5bd3e6ad4881599ccd81617e243392dccb3154630e56373974ebb9e655982899c96c20baac088d367e19244f9145b9bdd761c0a6b

  • C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.xml

    Filesize

    442B

    MD5

    1edb29deabaa1f8e1d1ab7d0a0da78df

    SHA1

    12b85e64c54c2085b4f9ef259dce35e770da6b88

    SHA256

    3995b47de316c8a5ac98048470ffef3d97fe7b601dc0f099391cd716642212c7

    SHA512

    cc58406cbedef85d35fe7bbb34a4108e3c1bfeb1707302a16dcb76853ee78416abe91edd751a63e096cfcd445d0721e3b76e16316e8dc48d40d60188d63aa0bf

  • C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe

    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

  • C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe

    Filesize

    2.9MB

    MD5

    a39b845fda1e4459eed816fd8f300935

    SHA1

    6eb0bb58fabdf307f4fda5a2eb408226cdb2ac35

    SHA256

    7beb9eb8189d6f97bc9def1190b4e00d3a8bca6af9378a383683baa002cda3f9

    SHA512

    d1f0fdea0738a658c5d7977be76a96ff09d922f0c2ca884ca39e50618de42e9acee0d944e97fcd306fb8d5eda17b05dec286a2c2306f4782541f90c16931ab71

  • C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA

    Filesize

    1.7MB

    MD5

    9c911a773c1629487f12783080c37b0c

    SHA1

    d0c3db8b3c354f96bd0cff829dbd561b81676f19

    SHA256

    6a6a941a94077fc7d43076e4d231341b6641a455681f80d65efd480de4733b3c

    SHA512

    51c669086de0492442ae030315fd9adeee1208c79b605b34d46d20758aeeac569f8d5d16b110a7164490ff9a255bb1af207c931ed45be2409aaee6a29e04a421

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QCIFTyMgyyFp.exe.log

    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

  • C:\Windows\Installer\e57ed9c.msi

    Filesize

    14.0MB

    MD5

    a1c5d32005ee62baa30dc993394aa17c

    SHA1

    360dd1889252cc5c06386706f5d9f8f326f218db

    SHA256

    49d8edfd8a93ede3e3087771d69b7e6be33f53dfb92ee1da9d82c09f2e0d3188

    SHA512

    3ae8fcf6120e9c2a518b109c64996cea7d5b8f28df1e00c6e18a74b199d4f80d44e2c647fddb22b6b5ab3e24a495366be21d1a140521c00db35dd9e3480c4124

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.7MB

    MD5

    91aa3cad537c20f8c01286dec82198de

    SHA1

    81d4f4fa2a325d7b41be7634adb5f1f72e12d152

    SHA256

    2bce9c16d5fb4b23f8db8a87b2e52c384fd61f6cdcf23a161b52af8b3e29a4e1

    SHA512

    62a1ec38684462cb1acc3adcd8a71136979adc26c77a823681b4143f457ab5b152df5cf84a84a3c32312ce00660c8165663a987e8ade9097cf668f9d2107b2c8

  • \??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0db3e223-962f-4f40-a2a7-013299d08498}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    7f332317a74435959554be2adae444a0

    SHA1

    c036f32d4393377f8a4ae8900e9e99db3b274b0d

    SHA256

    3fc4d36e936856d8193013b0ad7aba6d691080d07304b7f220317b27aaf4c27c

    SHA512

    e460fe56ec40a1135af1bd6d6cc5f054677951c9f7bebbb762541f67eeffdbea9d28dbe0b9be2def5220809c0e3af2cf04d912933b8709eb25866c827c1ee652

  • memory/3724-39-0x0000000000AE0000-0x0000000000BB6000-memory.dmp

    Filesize

    856KB

  • memory/4560-65-0x000000002A830000-0x000000002A873000-memory.dmp

    Filesize

    268KB

  • memory/4560-66-0x000000002C450000-0x000000002C60B000-memory.dmp

    Filesize

    1.7MB

  • memory/4560-68-0x000000002C450000-0x000000002C60B000-memory.dmp

    Filesize

    1.7MB

  • memory/4560-69-0x000000002C450000-0x000000002C60B000-memory.dmp

    Filesize

    1.7MB