Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
131s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10/07/2020, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
ada66908-1faf-4e78-8582-239d6d90c2cf.msi
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ada66908-1faf-4e78-8582-239d6d90c2cf.msi
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
ada66908-1faf-4e78-8582-239d6d90c2cf.msi
-
Size
1.7MB
-
MD5
4c2f959dcda49fa48d8dc13a7eac6b3b
-
SHA1
d270aedb78fe928e425ecc4f2f1b5c9c38dca764
-
SHA256
185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d
-
SHA512
aabde1125b7167bbd2b2734df099e07b92382dd579429652fd7f0a28705c744befad6b3d428cb09c4fea524ef421dd7a17f621957fa55d4592550176592df37f
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2484 wrote to memory of 3564 2484 msiexec.exe 70 PID 2484 wrote to memory of 3564 2484 msiexec.exe 70 PID 2484 wrote to memory of 3564 2484 msiexec.exe 70 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3564 MsiExec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI4755.tmp msiexec.exe File opened for modification C:\Windows\Installer\23a40.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI43D7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B69.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI432A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4445.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{7F0666E5-9A6B-4F70-9E81-530C35837E3F} msiexec.exe File created C:\Windows\Installer\23a40.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI46D7.tmp msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2416 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 2416 msiexec.exe Token: SeIncreaseQuotaPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2484 msiexec.exe Token: SeCreateTokenPrivilege 2416 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2416 msiexec.exe Token: SeLockMemoryPrivilege 2416 msiexec.exe Token: SeIncreaseQuotaPrivilege 2416 msiexec.exe Token: SeMachineAccountPrivilege 2416 msiexec.exe Token: SeTcbPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2416 msiexec.exe Token: SeTakeOwnershipPrivilege 2416 msiexec.exe Token: SeLoadDriverPrivilege 2416 msiexec.exe Token: SeSystemProfilePrivilege 2416 msiexec.exe Token: SeSystemtimePrivilege 2416 msiexec.exe Token: SeProfSingleProcessPrivilege 2416 msiexec.exe Token: SeIncBasePriorityPrivilege 2416 msiexec.exe Token: SeCreatePagefilePrivilege 2416 msiexec.exe Token: SeCreatePermanentPrivilege 2416 msiexec.exe Token: SeBackupPrivilege 2416 msiexec.exe Token: SeRestorePrivilege 2416 msiexec.exe Token: SeShutdownPrivilege 2416 msiexec.exe Token: SeDebugPrivilege 2416 msiexec.exe Token: SeAuditPrivilege 2416 msiexec.exe Token: SeSystemEnvironmentPrivilege 2416 msiexec.exe Token: SeChangeNotifyPrivilege 2416 msiexec.exe Token: SeRemoteShutdownPrivilege 2416 msiexec.exe Token: SeUndockPrivilege 2416 msiexec.exe Token: SeSyncAgentPrivilege 2416 msiexec.exe Token: SeEnableDelegationPrivilege 2416 msiexec.exe Token: SeManageVolumePrivilege 2416 msiexec.exe Token: SeImpersonatePrivilege 2416 msiexec.exe Token: SeCreateGlobalPrivilege 2416 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe Token: SeRestorePrivilege 2484 msiexec.exe Token: SeTakeOwnershipPrivilege 2484 msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2484 msiexec.exe 2484 msiexec.exe -
Enumerates connected drives 3 TTPs
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\win68 = "C:\\Users\\Public\\owzmotqa.msi /quiet" MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ada66908-1faf-4e78-8582-239d6d90c2cf.msi1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2484 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8FC78BEBD3E76E41498D2AFA3F97E382⤵
- Suspicious behavior: GetForegroundWindowSpam
- Loads dropped DLL
- Adds Run entry to start application
PID:3564
-