Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/04/2023, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
file.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.msi
Resource
win10v2004-20230220-en
Errors
General
-
Target
file.msi
-
Size
1.3MB
-
MD5
4dc2623c126508c02a4e19da2a7982b3
-
SHA1
5b735653dcf025c668e4bbbd5d439eebfef8fcda
-
SHA256
77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1
-
SHA512
70b1b2eecddb5eb7fbd0ed2f8340cf9f1755119a18d3a8c1258e4e70d1688c485eeca3bad372196dee24ba89e8674cb36cdf468beb9283d9f66f11947fb66412
-
SSDEEP
24576:HK+xLNJYB4cW7LIJ1MXCOJ05YbswFbf2d7xLZrudqAcr:HK6JYZqbCOJ05Yb59+zLZrudqAc
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 1988 powershell.exe 6 1988 powershell.exe 8 1988 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 292 MSI480F.tmp -
Loads dropped DLL 3 IoCs
pid Process 1864 MsiExec.exe 1864 MsiExec.exe 1864 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_986D38AD0E07EEC0BC7DD72B7F0F3C06 = "\"C:\\Users\\Admin\\AppData\\Local\\AMD64_\\MyDoctAB4E66F®\\0czTrimCoinstaller3d02©.exe\" --no-startup-window --win-session-start /prefetch:5" powershell.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI3FB2.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4751.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c38a0.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3EF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c389e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3A34.tmp msiexec.exe File created C:\Windows\Installer\6c38a0.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI480F.tmp msiexec.exe File created C:\Windows\Installer\6c389e.msi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 844 msiexec.exe 844 msiexec.exe 1988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 1704 msiexec.exe Token: SeIncreaseQuotaPrivilege 1704 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeSecurityPrivilege 844 msiexec.exe Token: SeCreateTokenPrivilege 1704 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1704 msiexec.exe Token: SeLockMemoryPrivilege 1704 msiexec.exe Token: SeIncreaseQuotaPrivilege 1704 msiexec.exe Token: SeMachineAccountPrivilege 1704 msiexec.exe Token: SeTcbPrivilege 1704 msiexec.exe Token: SeSecurityPrivilege 1704 msiexec.exe Token: SeTakeOwnershipPrivilege 1704 msiexec.exe Token: SeLoadDriverPrivilege 1704 msiexec.exe Token: SeSystemProfilePrivilege 1704 msiexec.exe Token: SeSystemtimePrivilege 1704 msiexec.exe Token: SeProfSingleProcessPrivilege 1704 msiexec.exe Token: SeIncBasePriorityPrivilege 1704 msiexec.exe Token: SeCreatePagefilePrivilege 1704 msiexec.exe Token: SeCreatePermanentPrivilege 1704 msiexec.exe Token: SeBackupPrivilege 1704 msiexec.exe Token: SeRestorePrivilege 1704 msiexec.exe Token: SeShutdownPrivilege 1704 msiexec.exe Token: SeDebugPrivilege 1704 msiexec.exe Token: SeAuditPrivilege 1704 msiexec.exe Token: SeSystemEnvironmentPrivilege 1704 msiexec.exe Token: SeChangeNotifyPrivilege 1704 msiexec.exe Token: SeRemoteShutdownPrivilege 1704 msiexec.exe Token: SeUndockPrivilege 1704 msiexec.exe Token: SeSyncAgentPrivilege 1704 msiexec.exe Token: SeEnableDelegationPrivilege 1704 msiexec.exe Token: SeManageVolumePrivilege 1704 msiexec.exe Token: SeImpersonatePrivilege 1704 msiexec.exe Token: SeCreateGlobalPrivilege 1704 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeShutdownPrivilege 1684 shutdown.exe Token: SeRemoteShutdownPrivilege 1684 shutdown.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1704 msiexec.exe 1704 msiexec.exe 1988 powershell.exe 1988 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 1864 844 msiexec.exe 28 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 844 wrote to memory of 292 844 msiexec.exe 29 PID 1480 wrote to memory of 1972 1480 cmd.exe 32 PID 1480 wrote to memory of 1972 1480 cmd.exe 32 PID 1480 wrote to memory of 1972 1480 cmd.exe 32 PID 1480 wrote to memory of 1988 1480 cmd.exe 33 PID 1480 wrote to memory of 1988 1480 cmd.exe 33 PID 1480 wrote to memory of 1988 1480 cmd.exe 33 PID 1988 wrote to memory of 1684 1988 powershell.exe 34 PID 1988 wrote to memory of 1684 1988 powershell.exe 34 PID 1988 wrote to memory of 1684 1988 powershell.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\file.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1704
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 51D776FC7320385EF32481284EA3A8C42⤵
- Loads dropped DLL
PID:1864
-
-
C:\Windows\Installer\MSI480F.tmp"C:\Windows\Installer\MSI480F.tmp" /DontWait /HideWindow "C:\Users\Admin\AppData\Roaming\Certiftabsapexpi3At0v19YNtI4H4zq6UJ4kX3®xrtlsb\Certiftabsapexpi3At0v19YNtI4H4zq6UJ4kX3\Txppg7tbNbU.cmd"2⤵
- Executes dropped EXE
PID:292
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Certiftabsapexpi3At0v19YNtI4H4zq6UJ4kX3®xrtlsb\Certiftabsapexpi3At0v19YNtI4H4zq6UJ4kX3\Txppg7tbNbU.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo %uT?qrs?WIQs% "2⤵PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -windowstyle hidden -ExecutionPolicy Bypass -nop -NoExit -Command -2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\shutdown.exe"C:\Windows\system32\shutdown.exe" -r -f -t 10 -c "Windows Updated Successfully"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1096
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52b71879b84bdfde7a7a33b1567b50d6a
SHA18e153ec2a21b0c8f651c91428e919fa47ee830a6
SHA256cd533999b5b0c9b8740cacc3996784121e009872f1efd601fc5518a7ffbb0edd
SHA5128218fc823a33d75afc9bd6d7d1d957a764d25a4b78ff01bca813a516dd58186552b0e640a99d136386f045873b7a71f12cb0d3a253c9af09f3f2c32eb890f230
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53194321dd3cf5082f88e577e36e0fa12
SHA15d366d679d586956f236e165c55a61a2ca9e8d46
SHA2561088f11fccd42c6e7796fa772ba22351603da5a279634a0ff1d84ee59ecc9d73
SHA512e703e2c51466cb6eee3c098479d6b75c88ae1a239e9b8615e824b3665d0c2f181d599b08024c51bcb745d41ddc1617db22b0b8e7df25b32bd61c3c9e58a96804
-
Filesize
18.6MB
MD5e68cc1ef14c164ac609f61e867a77db9
SHA16287be29e3fcd594b083959cffc1d293bcd6b61d
SHA2564d13f69fd95e936c49e5da1123933a070fa2957064e34647c4aa8d4fcabedb24
SHA512d60196e713b8440dc21d6b07f2d72cc8abb311ab07d739fef48415978720142fd392f74c3b82912d88d026fed133d4ba9a5be7ca6dc978250e5ac824e498b6a1
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Roaming\Certiftabsapexpi3At0v19YNtI4H4zq6UJ4kX3®xrtlsb\Certiftabsapexpi3At0v19YNtI4H4zq6UJ4kX3\Txppg7tbNbU.cmd
Filesize29KB
MD578bea131e9c0d7b882f37b2619e857a3
SHA1cfed588ca07e15d18cac0a16ca047e068abd1d78
SHA256e728837cb24bd4a8d79fdca08a02e258c6f9dd6aa7fbbdeced66120ded2c2d8b
SHA5127f85c9295674c3c3763d0738db2c4651af12079fd23b4fad3299dff8b7855c8b16703a92b46ca6b6d78c36fac3a7b60de54c467e44a86de4615c857edf8db7bb
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
410KB
MD520010f9d322a1260ee0953852264a7cd
SHA16ac58fdf5e414bd6396443a420da99b87ee0e0a2
SHA256d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165
SHA5122f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a
-
Filesize
410KB
MD520010f9d322a1260ee0953852264a7cd
SHA16ac58fdf5e414bd6396443a420da99b87ee0e0a2
SHA256d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165
SHA5122f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9