Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe
-
Size
899KB
-
MD5
0117a8ecab6bbf11ec6bef9204dad2b9
-
SHA1
91fc83ef9c684c53fc8071d8317a91abde01a716
-
SHA256
c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17
-
SHA512
fc403a97109dccf3c7cf125885bf2725f41ab7f82547593b2e307d77258e8dbc006b70c6807b040abe67949794f5912dd239652d80ee3feff3361c067c88a533
-
SSDEEP
6144:DtxgWaPErldXCfsn3LFlMiUKvy78gpQ0Ob:hGWgeAfsngiUAyAgpQl
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 924 MsiExec.exe 924 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Installer\6c75cd.msi msiexec.exe File opened for modification C:\Windows\Installer\6c75cd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI76A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI77FF.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1584 msiexec.exe 1584 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 2036 msiexec.exe Token: SeIncreaseQuotaPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeSecurityPrivilege 1584 msiexec.exe Token: SeCreateTokenPrivilege 2036 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2036 msiexec.exe Token: SeLockMemoryPrivilege 2036 msiexec.exe Token: SeIncreaseQuotaPrivilege 2036 msiexec.exe Token: SeMachineAccountPrivilege 2036 msiexec.exe Token: SeTcbPrivilege 2036 msiexec.exe Token: SeSecurityPrivilege 2036 msiexec.exe Token: SeTakeOwnershipPrivilege 2036 msiexec.exe Token: SeLoadDriverPrivilege 2036 msiexec.exe Token: SeSystemProfilePrivilege 2036 msiexec.exe Token: SeSystemtimePrivilege 2036 msiexec.exe Token: SeProfSingleProcessPrivilege 2036 msiexec.exe Token: SeIncBasePriorityPrivilege 2036 msiexec.exe Token: SeCreatePagefilePrivilege 2036 msiexec.exe Token: SeCreatePermanentPrivilege 2036 msiexec.exe Token: SeBackupPrivilege 2036 msiexec.exe Token: SeRestorePrivilege 2036 msiexec.exe Token: SeShutdownPrivilege 2036 msiexec.exe Token: SeDebugPrivilege 2036 msiexec.exe Token: SeAuditPrivilege 2036 msiexec.exe Token: SeSystemEnvironmentPrivilege 2036 msiexec.exe Token: SeChangeNotifyPrivilege 2036 msiexec.exe Token: SeRemoteShutdownPrivilege 2036 msiexec.exe Token: SeUndockPrivilege 2036 msiexec.exe Token: SeSyncAgentPrivilege 2036 msiexec.exe Token: SeEnableDelegationPrivilege 2036 msiexec.exe Token: SeManageVolumePrivilege 2036 msiexec.exe Token: SeImpersonatePrivilege 2036 msiexec.exe Token: SeCreateGlobalPrivilege 2036 msiexec.exe Token: SeBackupPrivilege 1884 vssvc.exe Token: SeRestorePrivilege 1884 vssvc.exe Token: SeAuditPrivilege 1884 vssvc.exe Token: SeBackupPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1916 DrvInst.exe Token: SeLoadDriverPrivilege 1916 DrvInst.exe Token: SeLoadDriverPrivilege 1916 DrvInst.exe Token: SeLoadDriverPrivilege 1916 DrvInst.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe Token: SeRestorePrivilege 1584 msiexec.exe Token: SeTakeOwnershipPrivilege 1584 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2036 msiexec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 948 wrote to memory of 1692 948 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 27 PID 948 wrote to memory of 1692 948 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 27 PID 948 wrote to memory of 1692 948 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 27 PID 948 wrote to memory of 1692 948 c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe 27 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1692 wrote to memory of 2036 1692 cmd.exe 29 PID 1584 wrote to memory of 924 1584 msiexec.exe 34 PID 1584 wrote to memory of 924 1584 msiexec.exe 34 PID 1584 wrote to memory of 924 1584 msiexec.exe 34 PID 1584 wrote to memory of 924 1584 msiexec.exe 34 PID 1584 wrote to memory of 924 1584 msiexec.exe 34 PID 1584 wrote to memory of 924 1584 msiexec.exe 34 PID 1584 wrote to memory of 924 1584 msiexec.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe"C:\Users\Admin\AppData\Local\Temp\c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~F114.bat "C:\Users\Admin\AppData\Local\Temp\c15f31f77003ec2d15b15fb07a900d30ec56cebcdf8b0cb3096f9e3621d73c17.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\setup.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2036
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5EA7998581C2005F15B686E99629DCDD2⤵
- Loads dropped DLL
PID:924
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002AC" "0000000000000554"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5318c61d90d45dbdc39544981dbc74149
SHA1bc14826355c15020f9401b4b8bf066dea2ebe531
SHA2569365a1b8a8843876ec8a1b433769c2f455a5d9aac190d12b270c7cb40d3aa0fe
SHA512ca71754570ed6503d371740ff5d95c4d34677cbfde7d139ad9369154b761e70ebb98a5dfaaf4d3279e8d379c191d5a9a8c39843ac3e36f7a01244877019d5c12
-
Filesize
804KB
MD57f7072b4322fccc3b4518932df235fb7
SHA1d4fe2123f9494b34f8ea81228ca698b119fcc0a0
SHA256838c1a9488d3c80308404595bd3a1b3fe1527d1acb89ce496f9f856749ea5033
SHA5122837ec0ab064bba210e6fb2b7c1464468eff64537db74b76fcaf52fb1517dbbad3914320ca14795579c25d889ebf9f07e0350819ca281cc83d56c2a2aaf9e1fa
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a