Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27/04/2022, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
Security_Upgrade_Software_Win10.0.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Security_Upgrade_Software_Win10.0.msi
Resource
win10v2004-20220414-en
General
-
Target
Security_Upgrade_Software_Win10.0.msi
-
Size
96KB
-
MD5
997a3ae4006ae10c102258e5718f89f6
-
SHA1
8177181273ace0f8009b809d866764ce266b70dc
-
SHA256
d579e758e16f54d3c3594aa4fabce0181ef25bf953cceda3a6c47c099a77a40a
-
SHA512
231cd1f692e56c0a5be5818ec77e786f0f4d6e58ea6d6c097574908e8f42e39e9b3f78c627a898e142e01b900865a6ef7988a803f12b72640d76c2ddfde44958
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 1628 msiexec.exe 4 1628 msiexec.exe 7 1156 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1240 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\6d2ccd.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3D7B.tmp msiexec.exe File created C:\Windows\Installer\6d2ccf.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6d2ccc.msi msiexec.exe File opened for modification C:\Windows\Installer\6d2ccc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4143.tmp msiexec.exe File opened for modification C:\Windows\Installer\6d2ccd.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1156 msiexec.exe 1156 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1628 msiexec.exe Token: SeIncreaseQuotaPrivilege 1628 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeSecurityPrivilege 1156 msiexec.exe Token: SeCreateTokenPrivilege 1628 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1628 msiexec.exe Token: SeLockMemoryPrivilege 1628 msiexec.exe Token: SeIncreaseQuotaPrivilege 1628 msiexec.exe Token: SeMachineAccountPrivilege 1628 msiexec.exe Token: SeTcbPrivilege 1628 msiexec.exe Token: SeSecurityPrivilege 1628 msiexec.exe Token: SeTakeOwnershipPrivilege 1628 msiexec.exe Token: SeLoadDriverPrivilege 1628 msiexec.exe Token: SeSystemProfilePrivilege 1628 msiexec.exe Token: SeSystemtimePrivilege 1628 msiexec.exe Token: SeProfSingleProcessPrivilege 1628 msiexec.exe Token: SeIncBasePriorityPrivilege 1628 msiexec.exe Token: SeCreatePagefilePrivilege 1628 msiexec.exe Token: SeCreatePermanentPrivilege 1628 msiexec.exe Token: SeBackupPrivilege 1628 msiexec.exe Token: SeRestorePrivilege 1628 msiexec.exe Token: SeShutdownPrivilege 1628 msiexec.exe Token: SeDebugPrivilege 1628 msiexec.exe Token: SeAuditPrivilege 1628 msiexec.exe Token: SeSystemEnvironmentPrivilege 1628 msiexec.exe Token: SeChangeNotifyPrivilege 1628 msiexec.exe Token: SeRemoteShutdownPrivilege 1628 msiexec.exe Token: SeUndockPrivilege 1628 msiexec.exe Token: SeSyncAgentPrivilege 1628 msiexec.exe Token: SeEnableDelegationPrivilege 1628 msiexec.exe Token: SeManageVolumePrivilege 1628 msiexec.exe Token: SeImpersonatePrivilege 1628 msiexec.exe Token: SeCreateGlobalPrivilege 1628 msiexec.exe Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe Token: SeBackupPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1500 DrvInst.exe Token: SeLoadDriverPrivilege 1500 DrvInst.exe Token: SeLoadDriverPrivilege 1500 DrvInst.exe Token: SeLoadDriverPrivilege 1500 DrvInst.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1628 msiexec.exe 1628 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1156 wrote to memory of 1240 1156 msiexec.exe 31 PID 1156 wrote to memory of 1240 1156 msiexec.exe 31 PID 1156 wrote to memory of 1240 1156 msiexec.exe 31 PID 1156 wrote to memory of 1240 1156 msiexec.exe 31 PID 1156 wrote to memory of 1240 1156 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Security_Upgrade_Software_Win10.0.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1628
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 2946DBB7DF8E327DD0A7294E24B3E1D72⤵
- Loads dropped DLL
PID:1240
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "0000000000000568"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD578f2fcaa601f2fb4ebc937ba532e7549
SHA1ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c9ae194de6ac3d606e70ded5e53cbe34
SHA17dcb7ea95b9d770c5f00eb771f8efd6e4177f5c3
SHA25669c138cfa9cc977bcf32e4113cadaf9f394d43c2fe35b0937d8f9493ed200b02
SHA51247a566f4499b86d530b9659f97472c759ac0b617195d161dee50b9cae8f1483915f50a65949c8f0e3ad51c9c93df852bd1c46d16f6ab22f02b085cf1e4e03814
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Filesize254B
MD5505fdbab7b3f8edb0ba775bd5b38bbb0
SHA1aaea79bfad5442f28c2d99b50bd8099f3297b0b4
SHA25622a1f9fdf872434b899a1d9373072194defa3453a1d510e654f4f99ff685bdf0
SHA5128e954de6c44d6f5bc0fe278253c3496b3042a434143fbcf524aff8072a765d668edf6a365bb35d977a82f6494f8dcfe5d24575f32ee675c4d2ce156ee496ad0f
-
Filesize
54KB
MD531903e57dcc15860380219f2fb15909e
SHA17b7ce68b05965e8c53c7f1f9afc1325af9f91272
SHA256c28b8d613c100aa108adcdd461bce92dc620c2c88fc25be31594d38482f53451
SHA5128f513cb654d225d92f9974e06f0eb005c76e5a23c1f199502f9335136abaa2ef0089373ebb9ad9f90b54a531b7548abae57c5b7a17d6c840a1d2b3146cb953a5
-
Filesize
54KB
MD531903e57dcc15860380219f2fb15909e
SHA17b7ce68b05965e8c53c7f1f9afc1325af9f91272
SHA256c28b8d613c100aa108adcdd461bce92dc620c2c88fc25be31594d38482f53451
SHA5128f513cb654d225d92f9974e06f0eb005c76e5a23c1f199502f9335136abaa2ef0089373ebb9ad9f90b54a531b7548abae57c5b7a17d6c840a1d2b3146cb953a5