Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1196s -
max time network
1200s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
ke.msi
Resource
win7-20221111-en
windows7-x64
11 signatures
1200 seconds
Behavioral task
behavioral2
Sample
ke.msi
Resource
win10-20220812-en
windows10-1703-x64
12 signatures
1200 seconds
General
-
Target
ke.msi
-
Size
36KB
-
MD5
c0de445dfe49d2932cc7a55e81b06a38
-
SHA1
96738932eceae5ca5196401c059532024fce9d56
-
SHA256
0d604def7d8c28469c49fa5d12a8deddb56ebbdf03fb4de5b31484b6a4ace3a0
-
SHA512
5ad5bf1ce13b6e8f9972d8801a084ad490efda8580d9b103640edbe34cf166d7ffab294f2c38e91340c30235b84e076490a01379873a3b41601e67e395ff28ba
-
SSDEEP
384:0mcA5s8B88y+J4Hby3M5koXbGWv3m8V4x5Pey3M5sC0Loj8H:ro+uWMxGIweWMmC
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 54 IoCs
flow pid Process 4 584 msiexec.exe 7 584 msiexec.exe 10 584 msiexec.exe 13 584 msiexec.exe 16 584 msiexec.exe 19 584 msiexec.exe 22 584 msiexec.exe 25 584 msiexec.exe 28 584 msiexec.exe 31 584 msiexec.exe 34 584 msiexec.exe 37 584 msiexec.exe 39 1036 wscript.exe 40 584 msiexec.exe 42 584 msiexec.exe 43 584 msiexec.exe 44 584 msiexec.exe 46 584 msiexec.exe 47 584 msiexec.exe 48 584 msiexec.exe 49 584 msiexec.exe 50 584 msiexec.exe 51 584 msiexec.exe 52 584 msiexec.exe 53 584 msiexec.exe 54 584 msiexec.exe 55 584 msiexec.exe 56 584 msiexec.exe 57 584 msiexec.exe 58 584 msiexec.exe 59 584 msiexec.exe 60 584 msiexec.exe 61 584 msiexec.exe 62 584 msiexec.exe 63 584 msiexec.exe 64 584 msiexec.exe 65 584 msiexec.exe 66 584 msiexec.exe 67 584 msiexec.exe 68 584 msiexec.exe 69 584 msiexec.exe 70 584 msiexec.exe 71 584 msiexec.exe 72 584 msiexec.exe 73 584 msiexec.exe 74 584 msiexec.exe 75 584 msiexec.exe 76 584 msiexec.exe 78 584 msiexec.exe 79 584 msiexec.exe 80 584 msiexec.exe 81 584 msiexec.exe 82 584 msiexec.exe 83 584 msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 i_view32.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terminal App Service.lnk msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Installer\6c61c1.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA75B.tmp msiexec.exe File created C:\Windows\Installer\6c61c5.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE3B0.tmp msiexec.exe File created C:\Windows\Installer\6c61c9.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI63A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI18D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c61c0.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\6c61c3.msi msiexec.exe File created C:\Windows\Installer\6c61c7.msi msiexec.exe File opened for modification C:\Windows\Installer\6c61c5.ipi msiexec.exe File opened for modification C:\Windows\Installer\6c61c9.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\6c61c0.msi msiexec.exe File created C:\Windows\Installer\6c61c1.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 44 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 584 msiexec.exe 584 msiexec.exe 584 msiexec.exe 584 msiexec.exe 584 msiexec.exe 584 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeSecurityPrivilege 584 msiexec.exe Token: SeCreateTokenPrivilege 1668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1668 msiexec.exe Token: SeLockMemoryPrivilege 1668 msiexec.exe Token: SeIncreaseQuotaPrivilege 1668 msiexec.exe Token: SeMachineAccountPrivilege 1668 msiexec.exe Token: SeTcbPrivilege 1668 msiexec.exe Token: SeSecurityPrivilege 1668 msiexec.exe Token: SeTakeOwnershipPrivilege 1668 msiexec.exe Token: SeLoadDriverPrivilege 1668 msiexec.exe Token: SeSystemProfilePrivilege 1668 msiexec.exe Token: SeSystemtimePrivilege 1668 msiexec.exe Token: SeProfSingleProcessPrivilege 1668 msiexec.exe Token: SeIncBasePriorityPrivilege 1668 msiexec.exe Token: SeCreatePagefilePrivilege 1668 msiexec.exe Token: SeCreatePermanentPrivilege 1668 msiexec.exe Token: SeBackupPrivilege 1668 msiexec.exe Token: SeRestorePrivilege 1668 msiexec.exe Token: SeShutdownPrivilege 1668 msiexec.exe Token: SeDebugPrivilege 1668 msiexec.exe Token: SeAuditPrivilege 1668 msiexec.exe Token: SeSystemEnvironmentPrivilege 1668 msiexec.exe Token: SeChangeNotifyPrivilege 1668 msiexec.exe Token: SeRemoteShutdownPrivilege 1668 msiexec.exe Token: SeUndockPrivilege 1668 msiexec.exe Token: SeSyncAgentPrivilege 1668 msiexec.exe Token: SeEnableDelegationPrivilege 1668 msiexec.exe Token: SeManageVolumePrivilege 1668 msiexec.exe Token: SeImpersonatePrivilege 1668 msiexec.exe Token: SeCreateGlobalPrivilege 1668 msiexec.exe Token: SeBackupPrivilege 1916 vssvc.exe Token: SeRestorePrivilege 1916 vssvc.exe Token: SeAuditPrivilege 1916 vssvc.exe Token: SeBackupPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 1644 DrvInst.exe Token: SeLoadDriverPrivilege 1644 DrvInst.exe Token: SeLoadDriverPrivilege 1644 DrvInst.exe Token: SeLoadDriverPrivilege 1644 DrvInst.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe Token: SeTakeOwnershipPrivilege 584 msiexec.exe Token: SeRestorePrivilege 584 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1668 msiexec.exe 1668 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 584 wrote to memory of 1732 584 msiexec.exe 32 PID 584 wrote to memory of 1732 584 msiexec.exe 32 PID 584 wrote to memory of 1732 584 msiexec.exe 32 PID 584 wrote to memory of 1708 584 msiexec.exe 35 PID 584 wrote to memory of 1708 584 msiexec.exe 35 PID 584 wrote to memory of 1708 584 msiexec.exe 35 PID 584 wrote to memory of 1036 584 msiexec.exe 34 PID 584 wrote to memory of 1036 584 msiexec.exe 34 PID 584 wrote to memory of 1036 584 msiexec.exe 34 PID 1708 wrote to memory of 2008 1708 wscript.exe 36 PID 1708 wrote to memory of 2008 1708 wscript.exe 36 PID 1708 wrote to memory of 2008 1708 wscript.exe 36 PID 1708 wrote to memory of 2008 1708 wscript.exe 36 PID 1708 wrote to memory of 1916 1708 wscript.exe 38 PID 1708 wrote to memory of 1916 1708 wscript.exe 38 PID 1708 wrote to memory of 1916 1708 wscript.exe 38
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ke.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\wscript.exe"wscript.exe" "Terminal App Service.vbs"2⤵PID:1732
-
-
C:\Windows\system32\wscript.exe"wscript.exe" "index.js"2⤵
- Blocklisted process makes network request
PID:1036
-
-
C:\Windows\system32\wscript.exe"wscript.exe" "app.js"2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\ProgramData\Dored\i_view32.exe"C:\ProgramData\Dored\i_view32.exe" /capture /convert=skev.jpg3⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" product where name='FLibrary' call uninstall /nointeractive3⤵PID:1916
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004E8" "0000000000000328"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5323b8e4888440687ec3a20708b52760c
SHA1aeb7051bb3bb7b1ed73d7f58fb2b279863cbc785
SHA25627217d815fc504f6cb9d531028da2f058eb5ac4782e952290c19aacfaa1459da
SHA51236ea0ec78b54c84a284496ac25499c41554422674bcbf093e5d489da974266441948a8dffaba9393d55cdb22544a4f67166bbebbdc788ab48e082e7588f35eb6
-
Filesize
211B
MD589e320093ce9d3a9e61e58c1121b76e7
SHA1a83783769a0a36d7560e4596aa53c3422c41ec88
SHA2565496156c5c7d349f998d470231410b5ecfc62dd245eb686a8e77f5f40a28cac7
SHA512403522e9b6a3058a12604c225f150f55a44034908b8ca32d534764717eb351db9252fab1ef7f5892d453a9c750b1b10afa8797df0c110adfb5b6ff9d5f48b9d3
-
Filesize
1.9MB
MD5b103655d23aab7ff124de7ea4fbc2361
SHA1904bf233b9070af245f4dbcae11828615ef8715b
SHA2566e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc
SHA512fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52
-
Filesize
1.9MB
MD5b103655d23aab7ff124de7ea4fbc2361
SHA1904bf233b9070af245f4dbcae11828615ef8715b
SHA2566e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc
SHA512fda0e3855522039d3b56e15b169b4c634672ca181ced78a479b6723c22ce889308db55aa1ea58fa8cb01ed1657fddc52a2c45d904c6eb5b852a171bcba310a52
-
Filesize
742B
MD544839c07923d8a37f49782e6a2567950
SHA121e6e88de9b6efa47b0dc137ae942bdb6b113192
SHA256ca830dabaa78487702826679e1d0caa7acb7ff2688537a2025aabb0b57fbd414
SHA512d6484cf875a8970ad8826ec522acc1015233180c416c701c5b0bca71f8a29da2bd85aba9010d3e05178b898e20c2e6c76cdeae97e5a2995f53946d8c5cbb5e0b
-
Filesize
67KB
MD5a683de4d76dce4cae2920a657224497c
SHA1eaa7f4ffbfe343ca04a815ddfb82dcbdb2a30bfe
SHA25632a74ef240ee29296581ea51a93ef1e0e53294075feb2dd297df7d53674aa77c
SHA51213dd07dd42e74cfdbfb19c964a26c0cf6616984f5bc9edad57b00d9d4f0fe91c7e79085f05329ef1acb65050c632f9884b49c7595bb39a5ca7842ff4f5f4e209
