Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
10/07/2020, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
ada66908-1faf-4e78-8582-239d6d90c2cf.msi
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ada66908-1faf-4e78-8582-239d6d90c2cf.msi
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
ada66908-1faf-4e78-8582-239d6d90c2cf.msi
-
Size
1.7MB
-
MD5
4c2f959dcda49fa48d8dc13a7eac6b3b
-
SHA1
d270aedb78fe928e425ecc4f2f1b5c9c38dca764
-
SHA256
185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d
-
SHA512
aabde1125b7167bbd2b2734df099e07b92382dd579429652fd7f0a28705c744befad6b3d428cb09c4fea524ef421dd7a17f621957fa55d4592550176592df37f
Score
7/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 1124 msiexec.exe Token: SeIncreaseQuotaPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeSecurityPrivilege 612 msiexec.exe Token: SeCreateTokenPrivilege 1124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1124 msiexec.exe Token: SeLockMemoryPrivilege 1124 msiexec.exe Token: SeIncreaseQuotaPrivilege 1124 msiexec.exe Token: SeMachineAccountPrivilege 1124 msiexec.exe Token: SeTcbPrivilege 1124 msiexec.exe Token: SeSecurityPrivilege 1124 msiexec.exe Token: SeTakeOwnershipPrivilege 1124 msiexec.exe Token: SeLoadDriverPrivilege 1124 msiexec.exe Token: SeSystemProfilePrivilege 1124 msiexec.exe Token: SeSystemtimePrivilege 1124 msiexec.exe Token: SeProfSingleProcessPrivilege 1124 msiexec.exe Token: SeIncBasePriorityPrivilege 1124 msiexec.exe Token: SeCreatePagefilePrivilege 1124 msiexec.exe Token: SeCreatePermanentPrivilege 1124 msiexec.exe Token: SeBackupPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 1124 msiexec.exe Token: SeShutdownPrivilege 1124 msiexec.exe Token: SeDebugPrivilege 1124 msiexec.exe Token: SeAuditPrivilege 1124 msiexec.exe Token: SeSystemEnvironmentPrivilege 1124 msiexec.exe Token: SeChangeNotifyPrivilege 1124 msiexec.exe Token: SeRemoteShutdownPrivilege 1124 msiexec.exe Token: SeUndockPrivilege 1124 msiexec.exe Token: SeSyncAgentPrivilege 1124 msiexec.exe Token: SeEnableDelegationPrivilege 1124 msiexec.exe Token: SeManageVolumePrivilege 1124 msiexec.exe Token: SeImpersonatePrivilege 1124 msiexec.exe Token: SeCreateGlobalPrivilege 1124 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeRestorePrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1124 msiexec.exe 1580 MsiExec.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\win68 = "C:\\Users\\Public\\avglfesb.msi /quiet" MsiExec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI705.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI734.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI36A.tmp msiexec.exe File created C:\Windows\Installer\ff18.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3D8.tmp msiexec.exe File created C:\Windows\Installer\ff16.msi msiexec.exe File opened for modification C:\Windows\Installer\ff16.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1.tmp msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1124 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 612 wrote to memory of 1580 612 msiexec.exe 25 PID 612 wrote to memory of 1580 612 msiexec.exe 25 PID 612 wrote to memory of 1580 612 msiexec.exe 25 PID 612 wrote to memory of 1580 612 msiexec.exe 25 PID 612 wrote to memory of 1580 612 msiexec.exe 25 PID 612 wrote to memory of 1580 612 msiexec.exe 25 PID 612 wrote to memory of 1580 612 msiexec.exe 25 -
Loads dropped DLL 4 IoCs
pid Process 1580 MsiExec.exe 1580 MsiExec.exe 1580 MsiExec.exe 1580 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 612 msiexec.exe 612 msiexec.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ada66908-1faf-4e78-8582-239d6d90c2cf.msi1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1124
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:612 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24AD0F51745696182781F376226486B22⤵
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
- Loads dropped DLL
PID:1580
-