Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2022, 02:22
Static task
static1
Behavioral task
behavioral1
Sample
first_penetration_hymen_after_school_torn_vagina_photo.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
first_penetration_hymen_after_school_torn_vagina_photo.msi
Resource
win10v2004-20221111-en
General
-
Target
first_penetration_hymen_after_school_torn_vagina_photo.msi
-
Size
493.7MB
-
MD5
f30e0a07ab31aa82a9014d8626aa69a4
-
SHA1
01da449c5ad5ff2ee9809a6ca45ef768805df7c0
-
SHA256
72b098b0759c48d9a26366813435366cc4cb1d3017fe5952c3c5443d7372ec00
-
SHA512
bc8d013135d65a79160a99c28fadce46279f216520ec2662afafd3d686d50e99d6e4ac5d95cbd33e438e11cb18116379dc8c2931f08abae67b7b6c2917acf5d4
-
SSDEEP
24576:ckqW3m8d0IWpxnKrxLWg3sz88e7fh498+txBxotbD7+eoYBsQ0kaJFub7e:lvm89pHrh49ZtaJPzB29FQ7e
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 43 1084 msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 4536 MsiExec.exe 4536 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\e57058e.msi msiexec.exe File opened for modification C:\Windows\Installer\e57058e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4C8A.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2088 msiexec.exe 2088 msiexec.exe 2088 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 1084 msiexec.exe Token: SeIncreaseQuotaPrivilege 1084 msiexec.exe Token: SeSecurityPrivilege 2088 msiexec.exe Token: SeCreateTokenPrivilege 1084 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1084 msiexec.exe Token: SeLockMemoryPrivilege 1084 msiexec.exe Token: SeIncreaseQuotaPrivilege 1084 msiexec.exe Token: SeMachineAccountPrivilege 1084 msiexec.exe Token: SeTcbPrivilege 1084 msiexec.exe Token: SeSecurityPrivilege 1084 msiexec.exe Token: SeTakeOwnershipPrivilege 1084 msiexec.exe Token: SeLoadDriverPrivilege 1084 msiexec.exe Token: SeSystemProfilePrivilege 1084 msiexec.exe Token: SeSystemtimePrivilege 1084 msiexec.exe Token: SeProfSingleProcessPrivilege 1084 msiexec.exe Token: SeIncBasePriorityPrivilege 1084 msiexec.exe Token: SeCreatePagefilePrivilege 1084 msiexec.exe Token: SeCreatePermanentPrivilege 1084 msiexec.exe Token: SeBackupPrivilege 1084 msiexec.exe Token: SeRestorePrivilege 1084 msiexec.exe Token: SeShutdownPrivilege 1084 msiexec.exe Token: SeDebugPrivilege 1084 msiexec.exe Token: SeAuditPrivilege 1084 msiexec.exe Token: SeSystemEnvironmentPrivilege 1084 msiexec.exe Token: SeChangeNotifyPrivilege 1084 msiexec.exe Token: SeRemoteShutdownPrivilege 1084 msiexec.exe Token: SeUndockPrivilege 1084 msiexec.exe Token: SeSyncAgentPrivilege 1084 msiexec.exe Token: SeEnableDelegationPrivilege 1084 msiexec.exe Token: SeManageVolumePrivilege 1084 msiexec.exe Token: SeImpersonatePrivilege 1084 msiexec.exe Token: SeCreateGlobalPrivilege 1084 msiexec.exe Token: SeRestorePrivilege 2088 msiexec.exe Token: SeTakeOwnershipPrivilege 2088 msiexec.exe Token: SeRestorePrivilege 2088 msiexec.exe Token: SeTakeOwnershipPrivilege 2088 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1084 msiexec.exe 1084 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2088 wrote to memory of 4536 2088 msiexec.exe 87 PID 2088 wrote to memory of 4536 2088 msiexec.exe 87 PID 2088 wrote to memory of 4536 2088 msiexec.exe 87
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\first_penetration_hymen_after_school_torn_vagina_photo.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 99349762F7E9FACAF5F105430BE054112⤵
- Loads dropped DLL
PID:4536
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5c7c4a68a3def2eda1ee9aa48befeb70a
SHA136cb1c17307a605aabb2888bfb55f79c4347b465
SHA256d7e1102849309b7d9c1a0ea0166d4a1dc7c1b89c35552c029cae3ad30b586c7b
SHA51279195177250c27980e4b0e46306d23db4e57fb5ef70330b0c39a1bd31aeb0a88d900a3bd22b1522f926609c3fad1c60750a99e127eead1ea355f97f5dcad3447
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
Filesize471B
MD57698d17f076d12b2708d519093eb4022
SHA159d7998e4ee036ce314f4025c7cabeee3dbe61b3
SHA256029c6431c993f07f0183ea5b0acef6c5f6e0fc0eaa8ba913d1e30b762e80ad71
SHA5124ab92144d75870d4cd1f2442999d3dd7e7b31a1ce0159c10de92d994e0f1d6a0c4119034c79076ba3b8740d3e4735a3b25ad5f5ee7ab8e4b47d64b046284e83e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize434B
MD5397ef3ae54d87f69028ebbc23be9ad53
SHA1cfd28dbdd7adf6c4398e2698f19c1051c2750cda
SHA256630df38cba944e798af7bb3e6c91bc812b71a5d0466287812661927fa98a27da
SHA51220ebf978e716b6b44eb5dc9b1c5ecc62e1ef230064e3a26b647424e3ab9d88bf6ccb87df30f471466fe6dd4dc473fcc38e1eb4d8920c7898e324d09a9cf5d680
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
Filesize434B
MD52ddd1520210152cb7002ea5720bbc61e
SHA15a3d1671e2f4cf60008eb4fccd8549db4e944cc8
SHA256f06bca35375abf10669ea3213b0f5272d9b6c4eac5f34e70e10d17de471d074c
SHA5126a9fea8a7317d8e2f40db3bc956ff90d060d1459f51408f4842d05b94db04995fba1520c164c3d7b2fcc4077fbfe37992d6f66d3c1b4c3007cd7d3222856bac8
-
Filesize
464.8MB
MD572d04ad0ed94e0fb383b9e624c0a56f7
SHA11d5ec32e37da628a994698df147ce91b574cd21e
SHA256e73d4e3381875518faf237528e5ee17aede897959e6f083b115c8ae810d23277
SHA51229ecfcd1bb165b8acb66efd80ca35b6d96d944c21e9c9dc359d51526342b479ec6c48db692167e807ef1f56c16beab97a0e982d88b68fc7f7bdda52b82a911ff
-
Filesize
469.1MB
MD560184db98c6b0d281b9893f04fa9759c
SHA1203ffb671a11585a89e37cde82a20fb0b52a6bad
SHA2563c6466d591375796ba88f762c73b455dad99fdb7a319f61ccb95209ba2f40723
SHA51225e8e4a2f0ff2f32b6a6479ba48b1fc57f070608b0fd2031b6e264da63c3d4934e930fefff37345f6c4d47266e5446826d2ba14516e824f2296eaf7f0237681d
-
Filesize
493.2MB
MD51d10eb16b41654fe606528cd6e6f9c39
SHA180ac2eb7c27b8517f71b6843e51574aaa6e04ad9
SHA256310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c
SHA512fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423