Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12/05/2023, 14:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
AltInstaller.msi
Resource
win7-20230220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
AltInstaller.msi
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
setup.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
setup.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
AltInstaller.msi
-
Size
6.4MB
-
MD5
69283c93e4313778fb572173c2eda692
-
SHA1
02ad06ff30a170a58fdb4012a974ea593830beae
-
SHA256
76098686faa6dfad700cc667fd26ff975fd02602bf7ff6a4a0d57098d029519d
-
SHA512
ed98dd4b32959802f3ebc0e1f79801f70823b47b6847fcc7f6d8a01ba88ad2e2b2b5061eb4aabe567962d7b8c156f42bedf0918b1f41c9ee37a2772827e7849b
-
SSDEEP
196608:rL1TzVCmQThxI8FQBaNzAhrbDmU4HwUFNN1nOtXqD5fg:rL1TzVAIortAlbaURUdOk9f
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created C:\Program Files (x86)\AltServer\libcrypto-1_1.dll msiexec.exe File created C:\Program Files (x86)\AltServer\WinSparkle.dll msiexec.exe File created C:\Program Files (x86)\AltServer\brotlicommon.dll msiexec.exe File created C:\Program Files (x86)\AltServer\plist.dll msiexec.exe File created C:\Program Files (x86)\AltServer\boost_date_time-vc142-mt-x32-1_70.dll msiexec.exe File created C:\Program Files (x86)\AltServer\brotlienc.dll msiexec.exe File created C:\Program Files (x86)\AltServer\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\AltServer\ssleay32.dll msiexec.exe File created C:\Program Files (x86)\AltServer\MenuBarIcon.png msiexec.exe File created C:\Program Files (x86)\AltServer\MenuBarIcon.ico msiexec.exe File created C:\Program Files (x86)\AltServer\imobiledevice.dll msiexec.exe File created C:\Program Files (x86)\AltServer\brotlidec.dll msiexec.exe File created C:\Program Files (x86)\AltServer\regex2.dll msiexec.exe File created C:\Program Files (x86)\AltServer\libssl-1_1.dll msiexec.exe File created C:\Program Files (x86)\AltServer\zlib1.dll msiexec.exe File created C:\Program Files (x86)\AltServer\ldid.dll msiexec.exe File created C:\Program Files (x86)\AltServer\AltServer.exe msiexec.exe File created C:\Program Files (x86)\AltServer\msvcp140.dll msiexec.exe File created C:\Program Files (x86)\AltServer\libeay32.dll msiexec.exe File created C:\Program Files (x86)\AltServer\cpprest_2_10.dll msiexec.exe File created C:\Program Files (x86)\AltServer\concrt140.dll msiexec.exe File created C:\Program Files (x86)\AltServer\usbmuxd.dll msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\6cae4a.msi msiexec.exe File created C:\Windows\Installer\6cae4b.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIB6E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\6cae4b.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\6cae4a.msi msiexec.exe File created C:\Windows\Installer\6cae4d.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1432 msiexec.exe 1432 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2044 msiexec.exe Token: SeIncreaseQuotaPrivilege 2044 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeSecurityPrivilege 1432 msiexec.exe Token: SeCreateTokenPrivilege 2044 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2044 msiexec.exe Token: SeLockMemoryPrivilege 2044 msiexec.exe Token: SeIncreaseQuotaPrivilege 2044 msiexec.exe Token: SeMachineAccountPrivilege 2044 msiexec.exe Token: SeTcbPrivilege 2044 msiexec.exe Token: SeSecurityPrivilege 2044 msiexec.exe Token: SeTakeOwnershipPrivilege 2044 msiexec.exe Token: SeLoadDriverPrivilege 2044 msiexec.exe Token: SeSystemProfilePrivilege 2044 msiexec.exe Token: SeSystemtimePrivilege 2044 msiexec.exe Token: SeProfSingleProcessPrivilege 2044 msiexec.exe Token: SeIncBasePriorityPrivilege 2044 msiexec.exe Token: SeCreatePagefilePrivilege 2044 msiexec.exe Token: SeCreatePermanentPrivilege 2044 msiexec.exe Token: SeBackupPrivilege 2044 msiexec.exe Token: SeRestorePrivilege 2044 msiexec.exe Token: SeShutdownPrivilege 2044 msiexec.exe Token: SeDebugPrivilege 2044 msiexec.exe Token: SeAuditPrivilege 2044 msiexec.exe Token: SeSystemEnvironmentPrivilege 2044 msiexec.exe Token: SeChangeNotifyPrivilege 2044 msiexec.exe Token: SeRemoteShutdownPrivilege 2044 msiexec.exe Token: SeUndockPrivilege 2044 msiexec.exe Token: SeSyncAgentPrivilege 2044 msiexec.exe Token: SeEnableDelegationPrivilege 2044 msiexec.exe Token: SeManageVolumePrivilege 2044 msiexec.exe Token: SeImpersonatePrivilege 2044 msiexec.exe Token: SeCreateGlobalPrivilege 2044 msiexec.exe Token: SeBackupPrivilege 1184 vssvc.exe Token: SeRestorePrivilege 1184 vssvc.exe Token: SeAuditPrivilege 1184 vssvc.exe Token: SeBackupPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1008 DrvInst.exe Token: SeLoadDriverPrivilege 1008 DrvInst.exe Token: SeLoadDriverPrivilege 1008 DrvInst.exe Token: SeLoadDriverPrivilege 1008 DrvInst.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2044 msiexec.exe 2044 msiexec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AltInstaller.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2044
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000003D8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54f3c273bd7759bee928ef59c0ee75d06
SHA1e88916843212a4614a365e9266a3d405d06d1162
SHA256df85aa0071df44da12ecbf9a1130d7f2973aa082098a0446e93ba76dd99a8bd7
SHA51269858e3f846243a515d9d5be6b196a2699bc461e752405ae14b9ab68b92a2e86f16cb1727e55653df1f0ae5f41d9bebf5f58809d19dbbf8e1748cea543bb7853
-
Filesize
6.4MB
MD569283c93e4313778fb572173c2eda692
SHA102ad06ff30a170a58fdb4012a974ea593830beae
SHA25676098686faa6dfad700cc667fd26ff975fd02602bf7ff6a4a0d57098d029519d
SHA512ed98dd4b32959802f3ebc0e1f79801f70823b47b6847fcc7f6d8a01ba88ad2e2b2b5061eb4aabe567962d7b8c156f42bedf0918b1f41c9ee37a2772827e7849b