Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
98s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20220812-es -
resource tags
arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows -
submitted
13/02/2023, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
Processo 09-02-2023 dfyc.msi
Resource
win7-20220812-es
Behavioral task
behavioral2
Sample
Processo 09-02-2023 dfyc.msi
Resource
win10v2004-20221111-es
General
-
Target
Processo 09-02-2023 dfyc.msi
-
Size
48.1MB
-
MD5
38da942ba4401ee52f663781ddded2ca
-
SHA1
b4ae66a99499dd02cc21cb6b3e22463db7fa67f0
-
SHA256
9e9dbb8ac378eaf561a1d2ceef411cc3bd0e225f649f9c2de5f7eff05bde54ef
-
SHA512
43624f63bcb83534c8f8fb8955dd1b88447ad3f218ce78751cb7863990b8407d9d2669e85354325f8621ede078f8d0cbd228df90a3431e030b25af5364d85e22
-
SSDEEP
786432:LVB9oDvwu7MpTmGXKq9QVgglClybzPnrQsdkJQBqm:LH9oDwuopTmGL9OgNyE6Ggqm
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 1532 msiexec.exe 3 1164 msiexec.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000013a0e-66.dat acprotect behavioral1/files/0x0007000000013a0e-67.dat acprotect -
Loads dropped DLL 4 IoCs
pid Process 452 MsiExec.exe 452 MsiExec.exe 452 MsiExec.exe 452 MsiExec.exe -
resource yara_rule behavioral1/files/0x0007000000013a0e-66.dat upx behavioral1/files/0x0007000000013a0e-67.dat upx behavioral1/memory/452-68-0x0000000002600000-0x00000000032B2000-memory.dmp upx behavioral1/memory/452-69-0x0000000002600000-0x00000000032B2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2F66.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c1ed7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI27F5.tmp msiexec.exe File created C:\Windows\Installer\6c1ed9.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI30DE.tmp msiexec.exe File created C:\Windows\Installer\6c1ed7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2536.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2873.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1164 msiexec.exe 1164 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 452 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 1532 msiexec.exe Token: SeIncreaseQuotaPrivilege 1532 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeSecurityPrivilege 1164 msiexec.exe Token: SeCreateTokenPrivilege 1532 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1532 msiexec.exe Token: SeLockMemoryPrivilege 1532 msiexec.exe Token: SeIncreaseQuotaPrivilege 1532 msiexec.exe Token: SeMachineAccountPrivilege 1532 msiexec.exe Token: SeTcbPrivilege 1532 msiexec.exe Token: SeSecurityPrivilege 1532 msiexec.exe Token: SeTakeOwnershipPrivilege 1532 msiexec.exe Token: SeLoadDriverPrivilege 1532 msiexec.exe Token: SeSystemProfilePrivilege 1532 msiexec.exe Token: SeSystemtimePrivilege 1532 msiexec.exe Token: SeProfSingleProcessPrivilege 1532 msiexec.exe Token: SeIncBasePriorityPrivilege 1532 msiexec.exe Token: SeCreatePagefilePrivilege 1532 msiexec.exe Token: SeCreatePermanentPrivilege 1532 msiexec.exe Token: SeBackupPrivilege 1532 msiexec.exe Token: SeRestorePrivilege 1532 msiexec.exe Token: SeShutdownPrivilege 1532 msiexec.exe Token: SeDebugPrivilege 1532 msiexec.exe Token: SeAuditPrivilege 1532 msiexec.exe Token: SeSystemEnvironmentPrivilege 1532 msiexec.exe Token: SeChangeNotifyPrivilege 1532 msiexec.exe Token: SeRemoteShutdownPrivilege 1532 msiexec.exe Token: SeUndockPrivilege 1532 msiexec.exe Token: SeSyncAgentPrivilege 1532 msiexec.exe Token: SeEnableDelegationPrivilege 1532 msiexec.exe Token: SeManageVolumePrivilege 1532 msiexec.exe Token: SeImpersonatePrivilege 1532 msiexec.exe Token: SeCreateGlobalPrivilege 1532 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe Token: SeRestorePrivilege 1164 msiexec.exe Token: SeTakeOwnershipPrivilege 1164 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1532 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1164 wrote to memory of 452 1164 msiexec.exe 29 PID 1164 wrote to memory of 452 1164 msiexec.exe 29 PID 1164 wrote to memory of 452 1164 msiexec.exe 29 PID 1164 wrote to memory of 452 1164 msiexec.exe 29 PID 1164 wrote to memory of 452 1164 msiexec.exe 29 PID 1164 wrote to memory of 452 1164 msiexec.exe 29 PID 1164 wrote to memory of 452 1164 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Processo 09-02-2023 dfyc.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1532
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FC29A5D4E9DDDF1585631781B2DB76F32⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:452
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d5a36a81e5302309ae19ceb580deb46
SHA13f04acf2f090dec3a001f07c0a9eab6d0c7fa9a5
SHA2569441705df9c62ca771c6cba6b9d671f5e5d43bb673b6ab37ab4bbb49fa2008d8
SHA51230f47f32407ddc89cdbc87f5ca14268a2f2d809333ae2fe278e0168b4b4d8fd1a16a089e47241d771913d6d32b076919a40986c48b84963f295702d3d1a03f94
-
Filesize
381KB
MD5e2b1df34e19a3ce763747b12ab33fdd2
SHA1e9cc67780be7e148950870ee4a812349b6255f39
SHA25614daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8
SHA512a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0
-
Filesize
381KB
MD5e2b1df34e19a3ce763747b12ab33fdd2
SHA1e9cc67780be7e148950870ee4a812349b6255f39
SHA25614daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8
SHA512a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0
-
Filesize
381KB
MD5e2b1df34e19a3ce763747b12ab33fdd2
SHA1e9cc67780be7e148950870ee4a812349b6255f39
SHA25614daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8
SHA512a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0
-
Filesize
26.5MB
MD5dd735cf27f5e3d684e3112f15f442dfc
SHA117efa740cdb76b6c59cc90f16b7693d7b3742785
SHA25665cdb22633adb79b4904e3e14e843c16a3f7c13546e93679f29f0c57a195a851
SHA5125ef3ad3e488027c9261a15f167aded8ce45428b36b4040c4149d34a709a008a8baaa8b474f01b9a4fd5eeb9a92a5027d71560867909183a82751b7b6ae0fc944
-
Filesize
381KB
MD5e2b1df34e19a3ce763747b12ab33fdd2
SHA1e9cc67780be7e148950870ee4a812349b6255f39
SHA25614daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8
SHA512a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0
-
Filesize
381KB
MD5e2b1df34e19a3ce763747b12ab33fdd2
SHA1e9cc67780be7e148950870ee4a812349b6255f39
SHA25614daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8
SHA512a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0
-
Filesize
381KB
MD5e2b1df34e19a3ce763747b12ab33fdd2
SHA1e9cc67780be7e148950870ee4a812349b6255f39
SHA25614daaf1090e11ab1abb01c0bd48d5435c617da9bb5a4dd019df8a5813ed3b3e8
SHA512a0301667b341a5806f7a6eccde40c22f48749d7002ea9d6a656df36088a6c5398466c259a5d1e6a8457f1468f56a220b1490f34c25859172cf8cf5e0d263eff0
-
Filesize
26.5MB
MD5dd735cf27f5e3d684e3112f15f442dfc
SHA117efa740cdb76b6c59cc90f16b7693d7b3742785
SHA25665cdb22633adb79b4904e3e14e843c16a3f7c13546e93679f29f0c57a195a851
SHA5125ef3ad3e488027c9261a15f167aded8ce45428b36b4040c4149d34a709a008a8baaa8b474f01b9a4fd5eeb9a92a5027d71560867909183a82751b7b6ae0fc944