Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 08:36
Static task
static1
Behavioral task
behavioral1
Sample
F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
Resource
win10v2004-20221111-en
General
-
Target
F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi
-
Size
257.6MB
-
MD5
1cf1c7e4cff1647135670de48f5513b6
-
SHA1
676d620cb584c3781815fdb6050776764b8e1e14
-
SHA256
97377415c200eaff9efc22bfa8cba4c29ad46f73d9d5cc3b83d65af15c244adc
-
SHA512
539fcdc2fdaf0b66e87abbe7b3d1293d0bb4f75e22fd895b383d0db78aeea98825cc900d43a70a627e09cce9d0850fe60e2b4a6d0ba809368a935e0e209dac5d
-
SSDEEP
98304:l599CEQd17rmueYIhvBcM/7ks3D6O26rkT9XxsGo6cYdA:lZCjryh5cCFTd2RT9N
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 4036 MsiExec.exe 4036 MsiExec.exe 4036 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7864.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{816DCF7B-8E75-4CE6-B00E-BD31F1284AE7} msiexec.exe File opened for modification C:\Windows\Installer\MSI6779.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI717C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7815.tmp msiexec.exe File created C:\Windows\Installer\e56617e.msi msiexec.exe File opened for modification C:\Windows\Installer\e56617e.msi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4288 msiexec.exe 4288 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 4552 msiexec.exe Token: SeIncreaseQuotaPrivilege 4552 msiexec.exe Token: SeSecurityPrivilege 4288 msiexec.exe Token: SeCreateTokenPrivilege 4552 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4552 msiexec.exe Token: SeLockMemoryPrivilege 4552 msiexec.exe Token: SeIncreaseQuotaPrivilege 4552 msiexec.exe Token: SeMachineAccountPrivilege 4552 msiexec.exe Token: SeTcbPrivilege 4552 msiexec.exe Token: SeSecurityPrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeLoadDriverPrivilege 4552 msiexec.exe Token: SeSystemProfilePrivilege 4552 msiexec.exe Token: SeSystemtimePrivilege 4552 msiexec.exe Token: SeProfSingleProcessPrivilege 4552 msiexec.exe Token: SeIncBasePriorityPrivilege 4552 msiexec.exe Token: SeCreatePagefilePrivilege 4552 msiexec.exe Token: SeCreatePermanentPrivilege 4552 msiexec.exe Token: SeBackupPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeShutdownPrivilege 4552 msiexec.exe Token: SeDebugPrivilege 4552 msiexec.exe Token: SeAuditPrivilege 4552 msiexec.exe Token: SeSystemEnvironmentPrivilege 4552 msiexec.exe Token: SeChangeNotifyPrivilege 4552 msiexec.exe Token: SeRemoteShutdownPrivilege 4552 msiexec.exe Token: SeUndockPrivilege 4552 msiexec.exe Token: SeSyncAgentPrivilege 4552 msiexec.exe Token: SeEnableDelegationPrivilege 4552 msiexec.exe Token: SeManageVolumePrivilege 4552 msiexec.exe Token: SeImpersonatePrivilege 4552 msiexec.exe Token: SeCreateGlobalPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4552 msiexec.exe 4552 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4288 wrote to memory of 4036 4288 msiexec.exe 82 PID 4288 wrote to memory of 4036 4288 msiexec.exe 82 PID 4288 wrote to memory of 4036 4288 msiexec.exe 82
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F_A_C_T_U_R_A_4564965414654_65189421864_5616876516_651894561.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4552
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5EF315CE680B795AF68CF229BE2CD5332⤵
- Loads dropped DLL
PID:4036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
254.8MB
MD51632a73fc216de0622fe448cd1a5759b
SHA1a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5
SHA256c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3
SHA51291ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb
-
Filesize
254.8MB
MD51632a73fc216de0622fe448cd1a5759b
SHA1a98ef1eec4dd5b6c98c4e3a26cbb9a3f991d73d5
SHA256c3db892021a9d6fe461a1dcc4888f52d948c80a5153053be0b9613fd414200c3
SHA51291ea63d87b7ddfc1b8daf11e14426d14da855ec19265e044602a213331335fefa0439cf13f13702444def41f94471d2cacfb7a3c1fb453d85cd868f5002be1eb