Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2023, 20:46
Static task
static1
Behavioral task
behavioral1
Sample
5q4psw.msi
Resource
win7-20230220-en
General
-
Target
5q4psw.msi
-
Size
496KB
-
MD5
e35727b10193fe55df216a1f9d166997
-
SHA1
9ddafa77fc9fdea0085e41aa0f3a1ee0d15d9c8a
-
SHA256
696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d
-
SHA512
2bba74b0b7f5ee8509310030bb45def13b87394e55edf8d0e51595d6cc669f4b2c7497d95331c09c9f7b453f3c9acdeb03e41cd5e5dc14f9ecb9dd9f79d7ad8d
-
SSDEEP
12288:wn+NgINNEcfjVRMigNFoILI8KviLjvhAol71Q:wnX9gjVRMDqH8fL154
Malware Config
Extracted
qakbot
404.1320
obama265
1685436052
103.42.86.42:995
174.4.89.3:443
161.142.103.187:995
78.160.146.127:443
84.35.26.14:995
12.172.173.82:20
70.28.50.223:2078
124.149.143.189:2222
70.160.67.203:443
186.64.67.30:443
103.123.223.133:443
94.207.104.225:443
89.114.140.100:443
213.64.33.61:2222
86.176.144.234:2222
72.134.124.16:443
47.34.30.133:443
109.50.149.241:2222
85.104.105.67:443
81.111.108.123:443
86.173.2.12:2222
188.28.19.84:443
41.228.224.161:995
12.172.173.82:50001
178.175.187.254:443
65.95.141.84:2222
205.237.67.69:995
83.110.223.61:443
193.253.100.236:2222
27.0.48.233:443
102.159.188.125:443
71.38.155.217:443
58.186.75.42:443
76.178.148.107:2222
70.28.50.223:2087
114.143.176.236:443
51.14.29.227:2222
59.28.84.65:443
173.88.135.179:443
103.144.201.56:2078
96.87.28.170:2222
105.184.103.97:995
176.142.207.63:443
151.62.238.176:443
12.172.173.82:32101
122.186.210.254:443
82.125.44.236:2222
84.108.200.161:443
76.16.49.134:443
70.28.50.223:32100
12.172.173.82:465
76.170.252.153:995
184.182.66.109:443
78.92.133.215:443
50.68.204.71:993
186.75.95.6:443
113.11.92.30:443
70.28.50.223:3389
98.145.23.67:443
85.57.212.13:3389
50.68.186.195:443
47.205.25.170:443
12.172.173.82:993
12.172.173.82:22
69.242.31.249:443
81.101.185.146:443
79.168.224.165:2222
75.143.236.149:443
14.192.241.76:995
86.195.14.72:2222
81.229.117.95:2222
220.240.164.182:443
73.29.92.128:443
12.172.173.82:21
96.56.197.26:2222
75.109.111.89:443
76.86.31.59:443
201.244.108.183:995
68.203.69.96:443
124.122.47.148:443
122.184.143.86:443
92.186.69.229:2222
70.28.50.223:2083
89.129.109.27:2222
147.147.30.126:2222
125.99.76.102:443
88.126.94.4:50000
151.65.167.77:443
86.132.236.117:443
92.154.17.149:2222
223.166.13.95:995
89.36.206.69:995
96.56.197.26:2083
78.18.105.11:443
82.127.153.75:2222
90.78.147.141:2222
82.131.141.209:443
183.87.163.165:443
92.9.45.20:2222
80.6.50.34:443
80.12.88.148:2222
69.133.162.35:443
172.115.17.50:443
95.45.50.93:2222
12.172.173.82:2087
103.140.174.20:2222
24.198.114.130:995
50.68.204.71:443
69.119.123.159:2222
64.121.161.102:443
2.82.8.80:443
184.181.75.148:443
70.112.206.5:443
198.2.51.242:993
2.36.64.159:2078
79.77.142.22:2222
84.215.202.8:443
147.219.4.194:443
116.74.164.81:443
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1712 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{2DB09FCD-7D8E-4C24-BF5D-FB5BD25D67B7} msiexec.exe File opened for modification C:\Windows\Installer\MSIB99.tmp msiexec.exe File created C:\Windows\Installer\e570a91.msi msiexec.exe File created C:\Windows\Installer\e570a8f.msi msiexec.exe File opened for modification C:\Windows\Installer\e570a8f.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 msiexec.exe 1492 msiexec.exe 1712 rundll32.exe 1712 rundll32.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe 3932 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1492 msiexec.exe Token: SeCreateTokenPrivilege 1452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1452 msiexec.exe Token: SeLockMemoryPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeMachineAccountPrivilege 1452 msiexec.exe Token: SeTcbPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeLoadDriverPrivilege 1452 msiexec.exe Token: SeSystemProfilePrivilege 1452 msiexec.exe Token: SeSystemtimePrivilege 1452 msiexec.exe Token: SeProfSingleProcessPrivilege 1452 msiexec.exe Token: SeIncBasePriorityPrivilege 1452 msiexec.exe Token: SeCreatePagefilePrivilege 1452 msiexec.exe Token: SeCreatePermanentPrivilege 1452 msiexec.exe Token: SeBackupPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeDebugPrivilege 1452 msiexec.exe Token: SeAuditPrivilege 1452 msiexec.exe Token: SeSystemEnvironmentPrivilege 1452 msiexec.exe Token: SeChangeNotifyPrivilege 1452 msiexec.exe Token: SeRemoteShutdownPrivilege 1452 msiexec.exe Token: SeUndockPrivilege 1452 msiexec.exe Token: SeSyncAgentPrivilege 1452 msiexec.exe Token: SeEnableDelegationPrivilege 1452 msiexec.exe Token: SeManageVolumePrivilege 1452 msiexec.exe Token: SeImpersonatePrivilege 1452 msiexec.exe Token: SeCreateGlobalPrivilege 1452 msiexec.exe Token: SeBackupPrivilege 2064 vssvc.exe Token: SeRestorePrivilege 2064 vssvc.exe Token: SeAuditPrivilege 2064 vssvc.exe Token: SeBackupPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1452 msiexec.exe 1452 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1492 wrote to memory of 1872 1492 msiexec.exe 98 PID 1492 wrote to memory of 1872 1492 msiexec.exe 98 PID 1492 wrote to memory of 4596 1492 msiexec.exe 100 PID 1492 wrote to memory of 4596 1492 msiexec.exe 100 PID 1492 wrote to memory of 1404 1492 msiexec.exe 101 PID 1492 wrote to memory of 1404 1492 msiexec.exe 101 PID 4596 wrote to memory of 1712 4596 rundll32.exe 102 PID 4596 wrote to memory of 1712 4596 rundll32.exe 102 PID 4596 wrote to memory of 1712 4596 rundll32.exe 102 PID 1712 wrote to memory of 3932 1712 rundll32.exe 103 PID 1712 wrote to memory of 3932 1712 rundll32.exe 103 PID 1712 wrote to memory of 3932 1712 rundll32.exe 103 PID 1712 wrote to memory of 3932 1712 rundll32.exe 103 PID 1712 wrote to memory of 3932 1712 rundll32.exe 103 PID 1712 wrote to memory of 3932 1712 rundll32.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5q4psw.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1872
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next2⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs2⤵PID:1404
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5c4c2870ad9d276fc753680ede5bf3748
SHA10c56d7b4b51a825f9c7bad5b85fe087675f93a98
SHA256a1177a71ea9106b3b3b28957ae17738ebc8c05fbf0f861e76a40328bfa1d9334
SHA512f806c37fca3498034da775b6f6ea50258e80a890654cd2b87313286c23d3481d7519fab1d809a5a50e9d422a8a664d2cfe935486aaa4543b537fd39049653e36
-
Filesize
930KB
MD50c8e5b12b177a199008b2282c7506fff
SHA10dfee8bae7073512f8bfdabaf0c0b7c882b3864e
SHA2569a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca
SHA5126464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5
-
Filesize
930KB
MD50c8e5b12b177a199008b2282c7506fff
SHA10dfee8bae7073512f8bfdabaf0c0b7c882b3864e
SHA2569a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca
SHA5126464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5
-
Filesize
132B
MD50d4c9f15ce74465c59ae36a27f98c817
SHA19cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a
SHA256d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a
SHA5129bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f
-
Filesize
496KB
MD5e35727b10193fe55df216a1f9d166997
SHA19ddafa77fc9fdea0085e41aa0f3a1ee0d15d9c8a
SHA256696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d
SHA5122bba74b0b7f5ee8509310030bb45def13b87394e55edf8d0e51595d6cc669f4b2c7497d95331c09c9f7b453f3c9acdeb03e41cd5e5dc14f9ecb9dd9f79d7ad8d
-
Filesize
23.0MB
MD5dbcc2a29396c97b0dbf045f7584ce6de
SHA165ee7393a5a8e01e71a23fa16a85b9e0c094162a
SHA2561708890e990a39e20fece73710bfc16a4255c56f0f3424151740edf9c726bf83
SHA512d0c17b3d0dd6377b2cb39a9f7b5cc1b392f7ef70d90806a50d07bc100468096c96a03e119a465973114d4e668528c4f8c11555d5efb3e7fbc2a0058eb9aa0533
-
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c8a8b6c-e8d3-466c-a088-725b819a4170}_OnDiskSnapshotProp
Filesize5KB
MD5c509ebd1ff0a353f0f772958913c9fb1
SHA141a954e2fe0f9543a2751fca386326d7101362a1
SHA2566995d088aac5e989e9140aaf46cc6a31c09280956016e43fd34e14541b073eed
SHA512aaa8ed4776a144e7b791696b76d0f5da6943adf3a6162687c3d81ffdfc54b0e20407d9e5769de3ee420f53dcdf5a5452bfae749851ec11b9be4b78109725fb71