Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
400s -
max time network
403s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12/05/2023, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
AltInstaller.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AltInstaller.msi
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
AltInstaller.msi
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral5
Sample
setup.exe
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
780KB
-
MD5
e3d0c2a49f23dc150348dccc644e61b2
-
SHA1
0143c07dabe75b771367d38e345dbfd5d47e1d82
-
SHA256
d48ad2ccf063ce4606b04ffeb0468af44eec3fe0a42a969a51673547b22d8e58
-
SHA512
14fd7b78e10427b2669ea01c1bc19ba5f8d32439ddf514950e76aa2cbb0fc443d18d54229b6e7451081828275357e9425e82f1494b54e87d1b24c1b0f184fb34
-
SSDEEP
12288:cuGj5je69oqAmj5oMqKyKAuqOAP0wukeMb01JQntLOCHOYo0H:cXhe29AmjkKuukemHOYx
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1376 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 1376 msiexec.exe Token: SeIncreaseQuotaPrivilege 1376 msiexec.exe Token: SeRestorePrivilege 1276 msiexec.exe Token: SeTakeOwnershipPrivilege 1276 msiexec.exe Token: SeSecurityPrivilege 1276 msiexec.exe Token: SeCreateTokenPrivilege 1376 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1376 msiexec.exe Token: SeLockMemoryPrivilege 1376 msiexec.exe Token: SeIncreaseQuotaPrivilege 1376 msiexec.exe Token: SeMachineAccountPrivilege 1376 msiexec.exe Token: SeTcbPrivilege 1376 msiexec.exe Token: SeSecurityPrivilege 1376 msiexec.exe Token: SeTakeOwnershipPrivilege 1376 msiexec.exe Token: SeLoadDriverPrivilege 1376 msiexec.exe Token: SeSystemProfilePrivilege 1376 msiexec.exe Token: SeSystemtimePrivilege 1376 msiexec.exe Token: SeProfSingleProcessPrivilege 1376 msiexec.exe Token: SeIncBasePriorityPrivilege 1376 msiexec.exe Token: SeCreatePagefilePrivilege 1376 msiexec.exe Token: SeCreatePermanentPrivilege 1376 msiexec.exe Token: SeBackupPrivilege 1376 msiexec.exe Token: SeRestorePrivilege 1376 msiexec.exe Token: SeShutdownPrivilege 1376 msiexec.exe Token: SeDebugPrivilege 1376 msiexec.exe Token: SeAuditPrivilege 1376 msiexec.exe Token: SeSystemEnvironmentPrivilege 1376 msiexec.exe Token: SeChangeNotifyPrivilege 1376 msiexec.exe Token: SeRemoteShutdownPrivilege 1376 msiexec.exe Token: SeUndockPrivilege 1376 msiexec.exe Token: SeSyncAgentPrivilege 1376 msiexec.exe Token: SeEnableDelegationPrivilege 1376 msiexec.exe Token: SeManageVolumePrivilege 1376 msiexec.exe Token: SeImpersonatePrivilege 1376 msiexec.exe Token: SeCreateGlobalPrivilege 1376 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1376 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1376 1104 setup.exe 28 PID 1104 wrote to memory of 1376 1104 setup.exe 28 PID 1104 wrote to memory of 1376 1104 setup.exe 28 PID 1104 wrote to memory of 1376 1104 setup.exe 28 PID 1104 wrote to memory of 1376 1104 setup.exe 28 PID 1104 wrote to memory of 1376 1104 setup.exe 28 PID 1104 wrote to memory of 1376 1104 setup.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\AltInstaller.msi"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1376
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276