Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 12:34

General

  • Target

    8934b0d98f8c56d6f1dc2f1b94d0b4ecffaac5e14bd5e45c453b82a04426e041.msi

  • Size

    2.5MB

  • MD5

    144b437195e16049c93dca1738fa35fa

  • SHA1

    0f7fa6a6c85e95a1a7d5a495752635f5ca102634

  • SHA256

    8934b0d98f8c56d6f1dc2f1b94d0b4ecffaac5e14bd5e45c453b82a04426e041

  • SHA512

    58da9569a681bda05c0c1585e432ee06b2cafa88f800a70ebb32ff678d178f61c79d9bc41c787f4dbab23b206fba8d341285cf0b7f90fceec9038191c0779430

  • SSDEEP

    49152:45hFc/f9r84jEHYDgE5e7vmP5Ferq7I5RJK5k1Qkd6JSHxO:sVHYDgpCxFeVSOxO

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8934b0d98f8c56d6f1dc2f1b94d0b4ecffaac5e14bd5e45c453b82a04426e041.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3032
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4FE9D65A9E38B28F9555E13B2BF0954C C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2176
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4060
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 7D33B3F39650A9EEB0650A1D86F7551F
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:5016
      • C:\Windows\Installer\MSIDA66.tmp
        "C:\Windows\Installer\MSIDA66.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3712
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1736
    • C:\Users\Admin\AppData\Roaming\op\GUP.exe
      "C:\Users\Admin\AppData\Roaming\op\GUP.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 376
        2⤵
        • Program crash
        PID:2104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2028 -ip 2028
      1⤵
        PID:2392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57d727.rbs

        Filesize

        1KB

        MD5

        a44178b207dc260ceb958dda550fb7f2

        SHA1

        ca9a289c0d2f4a29a6df9bf7d2a45d4e33a4d098

        SHA256

        891c81ef68299d46f772f71dab3b7490e3db54df81d991a39d8aa5eea4cb4e37

        SHA512

        d7c57a9ccb6be6a958be5b0e860aad513d27cf9f849431590b0255532ca12c4768d173a709a7cf0c97bcd06e4568ed6d354ed7e4df2c6c372f4a91cbd9cfbe69

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1

        Filesize

        1KB

        MD5

        df7981274a9968d5da53315ece2e643a

        SHA1

        c27f13c4db69bbae29842c70ba9d8a2d6a1c7ffb

        SHA256

        fbc4005a2b0253a8e58b2b8a705b6b9db68f74e21a179820b9d2ef0882a1bf56

        SHA512

        1d5a92545aaba6e7155ac6c5dd7a3f75ce7f2e7aea45e3b6a5db609d91a9ca4ca59f9fe76205f7812a90302c4c59386577bc8a1a0151de2b0128276680c02cc1

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

        Filesize

        1KB

        MD5

        56fba59d9c1836bc558083b27840258f

        SHA1

        bcb73316886479bf39f94ab2394c84484b33d81f

        SHA256

        ecaaccf2b8a7eb9312ff73f15d8adffa5389c5c6e81a91b407d16ba27c468f3e

        SHA512

        0e30e83bc1cac24fd0e150fef06c43ad0b55c6875b1b2ed84595c77059cd062ff1d1cd9f9297f3240bf9fe1f2ce31c46d9b37b0dcf429641e9dddbd8fcb55d19

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1

        Filesize

        536B

        MD5

        240188dbfe4ae3d6b0245676a4db76cb

        SHA1

        d120e49613183cda0cf325fc750a3f3cad638089

        SHA256

        cba81d5cf2a19dfd013ed731e7655d673ce426905d71caa36c97039f001d9e57

        SHA512

        5473ad4bbc574929d2e7beef613ecf1768ad1c5c8a029c6b65ea1c709416e1faa2a6e5eab1f8f00a4e5af1fee26f257a57c9366db4c55019606b5f0ea768a870

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

        Filesize

        536B

        MD5

        fcd882d60931e22cf48b27f6f29c230f

        SHA1

        a3e80f86dc11b01a7ea0f09feb2b73552eadbb15

        SHA256

        796d78fc1cc5e0db18bc7d209a3ed2cd47439f771170957f4206913d3ffd7f22

        SHA512

        6e3be6b0d4764e1eb0605210166bf5056b951c3cca4c672b7d62f30a466590a0399e9208717eeb93bdf3b73b02092dbb3237a1dcef6a997db0d8db313186b4a6

      • C:\Users\Admin\AppData\Local\Temp\MSI79635.LOG

        Filesize

        376B

        MD5

        3497fbaa936b2c866ee9f90ccbbcddac

        SHA1

        2bbb035b7aa1f17257474a2d68686c59baf8e4e0

        SHA256

        be34e18ab1a8f734a82ec4b60999935b70aaf4317f485b418c709ff7dcdd6bdb

        SHA512

        4efc3efe287d0863082f2cdd50d98deb558f67abe6f793906b71138b1baad25d1471f11f807e977cb2ae7946fa06c19156f4af67a18c230e29d111f10cae4061

      • C:\Users\Admin\AppData\Local\Temp\MSI9412.tmp

        Filesize

        904KB

        MD5

        421643ee7bb89e6df092bc4b18a40ff8

        SHA1

        e801582a6dd358060a699c9c5cde31cd07ee49ab

        SHA256

        d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

        SHA512

        d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

      • C:\Users\Admin\AppData\Roaming\op\GUP.exe

        Filesize

        617KB

        MD5

        7be4b26502bb2a8ed4982805b590dec5

        SHA1

        afa1ee71fe23c4e7f8fc0195f5fb4a3d968500b6

        SHA256

        97e196b8aa0694ecf37bddab2ade90ffba78251af7e49f6a24adea0a6ee704b3

        SHA512

        013ce05ca4982b8bbafa33b4011b1a2731c605f581223557ef66cf75df96307d5b2444a9ccb28b3ff39e34ad989e2d5b931ab9bfcccd7dd5f63eabdb726ab749

      • C:\Users\Admin\AppData\Roaming\op\gup.xml

        Filesize

        4KB

        MD5

        30823e98edc86ac1c1b71ba49366bb86

        SHA1

        1fbaedf0850c6bb298d81843a174fe2ed0d09388

        SHA256

        f26e3a06fc46eefb24d2d412c5e5ed1bc97ec14e2b7d8670aea0736ce7fb15dd

        SHA512

        6a907ec6e57d4a7ee0eac473df439db48d4c3457d440417a0a1908e1e8fbc7a15955166dc5d4b2c2dc42e92caa73c74c12b7f9b477c9991ee677a93cd3aa45f5

      • C:\Users\Admin\AppData\Roaming\op\libcurl.dll

        Filesize

        840KB

        MD5

        9b73c82d8f0e6cae3bce7b2fc98b3383

        SHA1

        24dd9872261cfb6931b2b400fffc9b9bdd4d5455

        SHA256

        795778587d86ee3aa3d2f628e8d3994b8735c5528413b4298afac8b6a683aefb

        SHA512

        5e1aa7783c7bed7b821065cc6a775b98114ea54c840499dc896de27c331375f4b5e5cd1c6550c160b05b6bc64dd4669dcfdcec861de9376d745bc9a3d5e80909

      • C:\Windows\Installer\MSIDA66.tmp

        Filesize

        406KB

        MD5

        d2f8c062aba50ca096cbd5387a2d0b8b

        SHA1

        04f07790822954d02458d93fba83208ca5223a1a

        SHA256

        ea6094300c250528ffae4e7972d84eb5b45cfbd018133516c166e40e89ed65bf

        SHA512

        f51bf12be51832cd7190c255234c558094c0135e8bf05ffd67c2f4a8b0233161fa71c44e86b107956e4b75f5e2a28da58736da61a71f0c600ec1cf1b4e9e86fa

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

        Filesize

        24.1MB

        MD5

        c6c90c06b53b62a715102d976b693f0a

        SHA1

        dc68c68ac42022b0b14403d1dac296daa17f1a64

        SHA256

        7797912598f54c85df0a56fa0257ccadf9e1e0db2e9c0d8040bf49c859ab07be

        SHA512

        0c7bf3a77d16c67e9e4bf5cd5a3468277819c24069b9b2a7c13af8d7f22b49145fd4394c7568394b19a041a42d8943f8d7697687bd119165b3b6e0584a5256f7

      • \??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4370a97d-0950-4db2-86a9-46e8a579f44a}_OnDiskSnapshotProp

        Filesize

        6KB

        MD5

        6940652ed4e5f32d616ff735f5887b1b

        SHA1

        45907a0a599c98e54245182f89a68280ed09d347

        SHA256

        2625fe099132c31354824155c7bf0e8f4f45b061a6a16601679637eb1b0c77d6

        SHA512

        f45705515c323cfc653187a8f6e464937f8dd727fc8b7bc7b812052de7b0c480ad87371562755c0cdb3d560f02d032768d18e7c3104b54f8d4b094b33d21b5a4