Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 19:03
Static task
static1
Behavioral task
behavioral1
Sample
00F1S56789S0W1PAGO198CCS716.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
00F1S56789S0W1PAGO198CCS716.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
00F1S56789S0W1PAGO198CCS716.msi
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
00F1S56789S0W1PAGO198CCS716.msi
Resource
win10v2004-20220901-en
General
-
Target
00F1S56789S0W1PAGO198CCS716.msi
-
Size
5.6MB
-
MD5
9954caa0ca30ffe96b4707dc93f6e607
-
SHA1
570d59cedeb20e4a7db84311741655f45ffdd519
-
SHA256
ca4519fc650d94793df6cc7045548946c49dcfde58891d8afd1c38103a297d12
-
SHA512
8ab5ce0a24fcb7465b5c1a83b7c88629514dce7fa7fd1078cd3aa78a608455c88c766c997d4f067659adb44f4a3154412248a92ce9da78688c9320dad83eb58b
-
SSDEEP
98304:jYOJapMr9FODk8Q6zwYmtwC+UDH6fqy3buT+4OD16dZxCD8YWWgLB8eCA:LAuJoezjTub3xDiCIY1i
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 16 3412 MsiExec.exe 18 3412 MsiExec.exe 20 3412 MsiExec.exe -
Loads dropped DLL 6 IoCs
pid Process 3412 MsiExec.exe 3412 MsiExec.exe 3412 MsiExec.exe 3412 MsiExec.exe 3412 MsiExec.exe 3412 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ipinfo.io 16 ipinfo.io -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSICE73.tmp msiexec.exe File created C:\Windows\Installer\e56c99e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICA59.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC9D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICD69.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID0A8.tmp msiexec.exe File opened for modification C:\Windows\Installer\e56c99e.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{7E35F406-72C5-42D5-BA78-3735586B6439} msiexec.exe File opened for modification C:\Windows\Installer\MSID049.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2124 msiexec.exe 2124 msiexec.exe 3412 MsiExec.exe 3412 MsiExec.exe 3412 MsiExec.exe 3412 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 4412 msiexec.exe Token: SeIncreaseQuotaPrivilege 4412 msiexec.exe Token: SeSecurityPrivilege 2124 msiexec.exe Token: SeCreateTokenPrivilege 4412 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4412 msiexec.exe Token: SeLockMemoryPrivilege 4412 msiexec.exe Token: SeIncreaseQuotaPrivilege 4412 msiexec.exe Token: SeMachineAccountPrivilege 4412 msiexec.exe Token: SeTcbPrivilege 4412 msiexec.exe Token: SeSecurityPrivilege 4412 msiexec.exe Token: SeTakeOwnershipPrivilege 4412 msiexec.exe Token: SeLoadDriverPrivilege 4412 msiexec.exe Token: SeSystemProfilePrivilege 4412 msiexec.exe Token: SeSystemtimePrivilege 4412 msiexec.exe Token: SeProfSingleProcessPrivilege 4412 msiexec.exe Token: SeIncBasePriorityPrivilege 4412 msiexec.exe Token: SeCreatePagefilePrivilege 4412 msiexec.exe Token: SeCreatePermanentPrivilege 4412 msiexec.exe Token: SeBackupPrivilege 4412 msiexec.exe Token: SeRestorePrivilege 4412 msiexec.exe Token: SeShutdownPrivilege 4412 msiexec.exe Token: SeDebugPrivilege 4412 msiexec.exe Token: SeAuditPrivilege 4412 msiexec.exe Token: SeSystemEnvironmentPrivilege 4412 msiexec.exe Token: SeChangeNotifyPrivilege 4412 msiexec.exe Token: SeRemoteShutdownPrivilege 4412 msiexec.exe Token: SeUndockPrivilege 4412 msiexec.exe Token: SeSyncAgentPrivilege 4412 msiexec.exe Token: SeEnableDelegationPrivilege 4412 msiexec.exe Token: SeManageVolumePrivilege 4412 msiexec.exe Token: SeImpersonatePrivilege 4412 msiexec.exe Token: SeCreateGlobalPrivilege 4412 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4412 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2124 wrote to memory of 3412 2124 msiexec.exe 86 PID 2124 wrote to memory of 3412 2124 msiexec.exe 86 PID 2124 wrote to memory of 3412 2124 msiexec.exe 86
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\00F1S56789S0W1PAGO198CCS716.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4412
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 491BCBA89D56F4926321C0C3E5041AF32⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3412
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
381KB
MD5d90ab57e6c584f90fbbea74b566216e3
SHA14616e59aed33848f5870e5e1fe865f932721a162
SHA25644ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9
SHA5125b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695
-
Filesize
5.1MB
MD520aac6e06ef35f87a345fb4b47d4d8ab
SHA18821f188591a4be0dd48a0dbec087586474d1d90
SHA25602db56648dcefdbe8ed8801f52372370982b3be5660007012f96884db5c4eef7
SHA51267634c81032c345667fe67234747f423d8dc28b91db109e1ca2370bb413eca6f7a4ff54d645251b457a197f42709958367aea6f3ce93220068ae5bc59de98ec6
-
Filesize
5.1MB
MD520aac6e06ef35f87a345fb4b47d4d8ab
SHA18821f188591a4be0dd48a0dbec087586474d1d90
SHA25602db56648dcefdbe8ed8801f52372370982b3be5660007012f96884db5c4eef7
SHA51267634c81032c345667fe67234747f423d8dc28b91db109e1ca2370bb413eca6f7a4ff54d645251b457a197f42709958367aea6f3ce93220068ae5bc59de98ec6
-
Filesize
5.1MB
MD520aac6e06ef35f87a345fb4b47d4d8ab
SHA18821f188591a4be0dd48a0dbec087586474d1d90
SHA25602db56648dcefdbe8ed8801f52372370982b3be5660007012f96884db5c4eef7
SHA51267634c81032c345667fe67234747f423d8dc28b91db109e1ca2370bb413eca6f7a4ff54d645251b457a197f42709958367aea6f3ce93220068ae5bc59de98ec6