Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15/09/2022, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
1.rar
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1.rar
Resource
win10v2004-20220812-en
General
-
Target
1.rar
-
Size
3.2MB
-
MD5
b53dbf0106a7eae3a7b073b254162c16
-
SHA1
6ca3fa39a0c07c0e26ff5339adb7496b310452a9
-
SHA256
60e03e1dfc1606c12dd7a590306a0c2766f36f0e9d75fc0d441e4ccb31bf0f66
-
SHA512
7ed532840789c0294c34b8a8596b619d4cfab7201e66311f07530a9d81cf8e68a9a0b9715ee7fc8ce7f52978a080f2ca6ce6437f92b773c6e514282d4a7979ab
-
SSDEEP
98304:2jrxn7HBzkcomean6DKOGAt6Ni4iIOundiQE:qdnjBzDb0L76NEIO3QE
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 2012 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI5D34.tmp msiexec.exe File opened for modification C:\Windows\Installer\6d4473.ipi msiexec.exe File created C:\Windows\Installer\6d4471.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4700.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A2C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A7B.tmp msiexec.exe File created C:\Windows\Installer\6d4473.ipi msiexec.exe File opened for modification C:\Windows\Installer\6d4471.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4CEC.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI516F.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 932 msiexec.exe 932 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: 33 1084 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1084 AUDIODG.EXE Token: 33 1084 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1084 AUDIODG.EXE Token: SeRestorePrivilege 1492 7zG.exe Token: 35 1492 7zG.exe Token: SeSecurityPrivilege 1492 7zG.exe Token: SeSecurityPrivilege 1492 7zG.exe Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeSecurityPrivilege 932 msiexec.exe Token: SeCreateTokenPrivilege 1668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1668 msiexec.exe Token: SeLockMemoryPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeMachineAccountPrivilege 1668 msiexec.exe Token: SeTcbPrivilege 1668 msiexec.exe Token: SeSecurityPrivilege 1668 msiexec.exe Token: SeTakeOwnershipPrivilege 1668 msiexec.exe Token: SeLoadDriverPrivilege 1668 msiexec.exe Token: SeSystemProfilePrivilege 1668 msiexec.exe Token: SeSystemtimePrivilege 1668 msiexec.exe Token: SeProfSingleProcessPrivilege 1668 msiexec.exe Token: SeIncBasePriorityPrivilege 1668 msiexec.exe Token: SeCreatePagefilePrivilege 1668 msiexec.exe Token: SeCreatePermanentPrivilege 1668 msiexec.exe Token: SeBackupPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 1668 msiexec.exe Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeDebugPrivilege 1668 msiexec.exe Token: SeAuditPrivilege 1668 msiexec.exe Token: SeSystemEnvironmentPrivilege 1668 msiexec.exe Token: SeChangeNotifyPrivilege 1668 msiexec.exe Token: SeRemoteShutdownPrivilege 1668 msiexec.exe Token: SeUndockPrivilege 1668 msiexec.exe Token: SeSyncAgentPrivilege 1668 msiexec.exe Token: SeEnableDelegationPrivilege 1668 msiexec.exe Token: SeManageVolumePrivilege 1668 msiexec.exe Token: SeImpersonatePrivilege 1668 msiexec.exe Token: SeCreateGlobalPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe Token: SeRestorePrivilege 932 msiexec.exe Token: SeTakeOwnershipPrivilege 932 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1492 7zG.exe 1668 msiexec.exe 1668 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1712 wrote to memory of 948 1712 cmd.exe 27 PID 1712 wrote to memory of 948 1712 cmd.exe 27 PID 1712 wrote to memory of 948 1712 cmd.exe 27 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 1172 932 msiexec.exe 37 PID 932 wrote to memory of 2012 932 msiexec.exe 39 PID 932 wrote to memory of 2012 932 msiexec.exe 39 PID 932 wrote to memory of 2012 932 msiexec.exe 39 PID 932 wrote to memory of 2012 932 msiexec.exe 39 PID 932 wrote to memory of 2012 932 msiexec.exe 39
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\1.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\1.rar2⤵
- Modifies registry class
PID:948
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1872
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1d41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap6946:82:7zEvent242011⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1492
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\182d30fb29b6bff76dd557e55246b8ef.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 29C489DCD7C0A05F20158EA58171220E2⤵
- Loads dropped DLL
PID:1172
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 86DB1752B78199DC5CCE34BA5EB127042⤵
- Loads dropped DLL
PID:2012
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108.4MB
MD5182d30fb29b6bff76dd557e55246b8ef
SHA17bb2e25286c3b41d6f7c20d60cda076ad87cea77
SHA256f2d5f80d595128a9c80fd661673655a01912c4eaca381d9e4e484fcbe6af6554
SHA5121f8122e6efadee856a507109731e60b00a4cae3403bac55dffdd676e5a7a81fd08c8532cd04b250fd6a9509099c358635cc99ba25e8b4348c1409a5a83f71e21
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
106.2MB
MD5eeac072023b4dcdb28f7a9c48b46f88a
SHA1c59d0edcc7e4caca877074978b5f0cabc7631500
SHA2565e71693441b2efb7c09a64e130d683289023481134dc83a4a5b6c10135495182
SHA512d21f3bae49d2ebe4d37456512fe24e16ae6fb1d979219e95eca61428176c4e7b94f5a41c767586907a957eb7ab0c2e008ea9b97e019b5460c46d2dc71d30f177
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
106.2MB
MD5eeac072023b4dcdb28f7a9c48b46f88a
SHA1c59d0edcc7e4caca877074978b5f0cabc7631500
SHA2565e71693441b2efb7c09a64e130d683289023481134dc83a4a5b6c10135495182
SHA512d21f3bae49d2ebe4d37456512fe24e16ae6fb1d979219e95eca61428176c4e7b94f5a41c767586907a957eb7ab0c2e008ea9b97e019b5460c46d2dc71d30f177