Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Win32_Dist...se.msi

windows7-x64

7

Win32_Dist...se.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2023, 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Win32_Dist_Stable_release.msi

  • Size

    2.9MB

  • MD5

    b7bdeddf07f67030a220f388ae6411ee

  • SHA1

    df485b606a06f8fe465862da52d654620e82901f

  • SHA256

    0cfc06fcdebd632c1c1797b79fff5e0c45880a322157f82895cd43f86f9e8232

  • SHA512

    e9b3e08734dca64575a0fad7f5e93cb2c6848457c0f254aed18a174c957b7aebbe3c0cac2cfe7432df81c6804c31dc1b955d5ea9084c11255ad492d102219142

  • SSDEEP

    49152:OA4l1/2vN8r6I5WCmR+JJke7awlK2FV9fXlVeIfyMHVPFX1ZdDKjbAS+lpwmtiV1:m/wo6/e7a6fwcDKj0QqiV+g

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 11 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Modifies data under HKEY_USERS 48 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Win32_Dist_Stable_release.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1736
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 323CB652D05F34850524A127DFD79991 C
      2⤵
      • Loads dropped DLL
      PID:684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EADB2B2031786761C2400F4D3B74DC7
      2⤵
      • Loads dropped DLL
      PID:1476
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 71DB1BBBF1A45C61A415CEE91B310F6E M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8F2A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi8F26.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr8F27.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr8F28.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:896
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:984
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:980

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c873c.rbs
      Filesize

      210KB

      MD5

      39920653db15391d1c65b86b694d9b6a

      SHA1

      b75513d3d973316c9ca3db6147ad4c4830e331ab

      SHA256

      115b14ff417e46c2099babf4285fc9ad2e9588fb287329f14239e01d5a131e5c

      SHA512

      435561e27245f1bedec56aee45e6e7a15505c7df2d3e8cc66cf941548d3d372289d9007b8d0883de74960ddb2d29f38bab8c6db0dbd39170924d5147a7d81413

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI147F.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI14FD.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI158A.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI3B9.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI60B.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI8DA.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI8DA.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9C5.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIc0a00.LOG
      Filesize

      232B

      MD5

      b8fbdcf3c10e47eb4d5c7c1899fe136b

      SHA1

      dc2de6e109d7b4eea46811ea850ec7984769b2cc

      SHA256

      3d1ae9294e7b921cd05e08ea6fe27697de6d3c701ac4b8d43b36d9496d13ed42

      SHA512

      3c408f0fdfe80265c6271f2404a01a6f31b716cadf805137c098a4255dd53e5777a0983fac5e49b0f11532d7bf2dae9c6fd545808731c2271eea621c2943b1a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gb.zip
      Filesize

      1.1MB

      MD5

      909acbcaf173ea9152a1f4fa957709ad

      SHA1

      9b37564dc54151a404e989239afcc1a7ce609889

      SHA256

      a65cbc272b158b8c72890db84c64dcc744d871e5e119bd50d323b0717f3c1797

      SHA512

      b7294497698b7ed2dbf03c83b246d1328d66f7ba0045f71373b6ce99ba56f290d69abc8600675d3f074ab85dad016eb002242377b7d0ff4a3464c62eb493447e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss8F2A.ps1
      Filesize

      6KB

      MD5

      30c30ef2cb47e35101d13402b5661179

      SHA1

      25696b2aab86a9233f19017539e2dd83b2f75d4e

      SHA256

      53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

      SHA512

      882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scr8F27.ps1
      Filesize

      846B

      MD5

      b45fc0f3e6c9a9999ec53389bc0effba

      SHA1

      cb31b282047700b225d61ec347faac2f44d208fd

      SHA256

      26e6c131ebf56ddfcbcd3fb912fe8e1e41edd6a22e96eefa363432736d60dcb9

      SHA512

      39c72f0b273b4de93b3c2b551d159a098cfd0c1d99be238f3385d6c308ba2f3cbf758df01cda321fac65112bfa011b5ff8863cf489fa5856029232ac2f8bfc51

      Download Submit

    • C:\Windows\Installer\MSI8798.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Windows\Installer\MSI8B60.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • C:\Windows\Installer\MSI8D75.tmp
      Filesize

      619KB

      MD5

      a619f980c1baa155f7cfb79553aa10b1

      SHA1

      da4dcaec351309b00d024adb704dd61230e68f81

      SHA256

      a0ace6862ac97cdca53a9458b57901a8fe3db546a4ea4d5bc3d05e7c119418a7

      SHA512

      983c44376dcbab6855f6f474aa3bfb672d0adab63a38096fae33da80f585da8f881a9ae352edfe80ed3cd424e42b45fb8aa7cc27337925241844b03ee300e7d9

      Download Submit

    • C:\Windows\Installer\MSI9C37.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • C:\Windows\Installer\MSI9C37.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI147F.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI14FD.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI158A.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI3B9.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI60B.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI8DA.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI9C5.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Windows\Installer\MSI8798.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • \Windows\Installer\MSI8B60.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • \Windows\Installer\MSI8D75.tmp
      Filesize

      619KB

      MD5

      a619f980c1baa155f7cfb79553aa10b1

      SHA1

      da4dcaec351309b00d024adb704dd61230e68f81

      SHA256

      a0ace6862ac97cdca53a9458b57901a8fe3db546a4ea4d5bc3d05e7c119418a7

      SHA512

      983c44376dcbab6855f6f474aa3bfb672d0adab63a38096fae33da80f585da8f881a9ae352edfe80ed3cd424e42b45fb8aa7cc27337925241844b03ee300e7d9

      Download Submit

    • \Windows\Installer\MSI9C37.tmp
      Filesize

      203KB

      MD5

      d65ab7715200f5e6d2f86d15668d091e

      SHA1

      112cc42e893a09f6c31d0410cedf31b30637839e

      SHA256

      8dec7639390311e4fe55602f3d2ce72b7a653d4a508219134865259f78102a71

      SHA512

      4a053b4b9b5104fdee33fb60bd9ee48b13306461844ec749720d21470cebbbb8a0349391422676293a0f10cb5a63c9aba2d4e7fc21eb0dab44e41716f88c3b28

      Download Submit

    • memory/896-110-0x0000000000250000-0x0000000000290000-memory.dmp

      Filesize

      256KB

      Download

    • memory/896-111-0x0000000000250000-0x0000000000290000-memory.dmp

      Filesize

      256KB

      Download