Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2023, 20:20
Static task
static1
Behavioral task
behavioral1
Sample
EpicInstaller-14.2.1.msi
Resource
win7-20220812-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
EpicInstaller-14.2.1.msi
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
EpicInstaller-14.2.1.msi
-
Size
152.5MB
-
MD5
353c216084477014c75d7d7545bd7353
-
SHA1
2b6ef6d830e7f0783eadb09d9b6134c91e0163c0
-
SHA256
a60db9fc0b290f4bea8bc5729b6878d97392156979c1a47498bb27269e16915a
-
SHA512
83c0ccd20db7b6ddfeed821b763040dbff9b25549ed5d0bf292b7138e1db405432f7a6e7a45ba9c471af7ccef3ba65f43662cbd51b50225aa21e573176cef090
-
SSDEEP
3145728:2yQOdRG/1UZt0MKOC2HOfiLRNOIflCO6BKiew2WOMVweEL:lqUPrlHROcwO+5z2WOMG
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 15 5000 msiexec.exe 16 5000 msiexec.exe 17 5000 msiexec.exe 19 5000 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 844 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5000 msiexec.exe Token: SeIncreaseQuotaPrivilege 5000 msiexec.exe Token: SeSecurityPrivilege 4252 msiexec.exe Token: SeCreateTokenPrivilege 5000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5000 msiexec.exe Token: SeLockMemoryPrivilege 5000 msiexec.exe Token: SeIncreaseQuotaPrivilege 5000 msiexec.exe Token: SeMachineAccountPrivilege 5000 msiexec.exe Token: SeTcbPrivilege 5000 msiexec.exe Token: SeSecurityPrivilege 5000 msiexec.exe Token: SeTakeOwnershipPrivilege 5000 msiexec.exe Token: SeLoadDriverPrivilege 5000 msiexec.exe Token: SeSystemProfilePrivilege 5000 msiexec.exe Token: SeSystemtimePrivilege 5000 msiexec.exe Token: SeProfSingleProcessPrivilege 5000 msiexec.exe Token: SeIncBasePriorityPrivilege 5000 msiexec.exe Token: SeCreatePagefilePrivilege 5000 msiexec.exe Token: SeCreatePermanentPrivilege 5000 msiexec.exe Token: SeBackupPrivilege 5000 msiexec.exe Token: SeRestorePrivilege 5000 msiexec.exe Token: SeShutdownPrivilege 5000 msiexec.exe Token: SeDebugPrivilege 5000 msiexec.exe Token: SeAuditPrivilege 5000 msiexec.exe Token: SeSystemEnvironmentPrivilege 5000 msiexec.exe Token: SeChangeNotifyPrivilege 5000 msiexec.exe Token: SeRemoteShutdownPrivilege 5000 msiexec.exe Token: SeUndockPrivilege 5000 msiexec.exe Token: SeSyncAgentPrivilege 5000 msiexec.exe Token: SeEnableDelegationPrivilege 5000 msiexec.exe Token: SeManageVolumePrivilege 5000 msiexec.exe Token: SeImpersonatePrivilege 5000 msiexec.exe Token: SeCreateGlobalPrivilege 5000 msiexec.exe Token: SeCreateTokenPrivilege 5000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5000 msiexec.exe Token: SeLockMemoryPrivilege 5000 msiexec.exe Token: SeIncreaseQuotaPrivilege 5000 msiexec.exe Token: SeMachineAccountPrivilege 5000 msiexec.exe Token: SeTcbPrivilege 5000 msiexec.exe Token: SeSecurityPrivilege 5000 msiexec.exe Token: SeTakeOwnershipPrivilege 5000 msiexec.exe Token: SeLoadDriverPrivilege 5000 msiexec.exe Token: SeSystemProfilePrivilege 5000 msiexec.exe Token: SeSystemtimePrivilege 5000 msiexec.exe Token: SeProfSingleProcessPrivilege 5000 msiexec.exe Token: SeIncBasePriorityPrivilege 5000 msiexec.exe Token: SeCreatePagefilePrivilege 5000 msiexec.exe Token: SeCreatePermanentPrivilege 5000 msiexec.exe Token: SeBackupPrivilege 5000 msiexec.exe Token: SeRestorePrivilege 5000 msiexec.exe Token: SeShutdownPrivilege 5000 msiexec.exe Token: SeDebugPrivilege 5000 msiexec.exe Token: SeAuditPrivilege 5000 msiexec.exe Token: SeSystemEnvironmentPrivilege 5000 msiexec.exe Token: SeChangeNotifyPrivilege 5000 msiexec.exe Token: SeRemoteShutdownPrivilege 5000 msiexec.exe Token: SeUndockPrivilege 5000 msiexec.exe Token: SeSyncAgentPrivilege 5000 msiexec.exe Token: SeEnableDelegationPrivilege 5000 msiexec.exe Token: SeManageVolumePrivilege 5000 msiexec.exe Token: SeImpersonatePrivilege 5000 msiexec.exe Token: SeCreateGlobalPrivilege 5000 msiexec.exe Token: SeCreateTokenPrivilege 5000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5000 msiexec.exe Token: SeLockMemoryPrivilege 5000 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5000 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4252 wrote to memory of 844 4252 msiexec.exe 82 PID 4252 wrote to memory of 844 4252 msiexec.exe 82 PID 4252 wrote to memory of 844 4252 msiexec.exe 82
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\EpicInstaller-14.2.1.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5000
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 732B090C611438AD5CE827B9F76EB1D4 C2⤵
- Loads dropped DLL
PID:844
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0