Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30/06/2023, 08:09
Behavioral task
behavioral1
Sample
新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi
Resource
win7-20230621-en
General
-
Target
新建文件夹 (2)/f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi
-
Size
2.4MB
-
MD5
64039f083c96cab5ea0de62f789886ce
-
SHA1
ffb89927ad892b7d6e3d6a88ec24a9d6a161dee2
-
SHA256
f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f
-
SHA512
8eee7c46b8a031858acabe871616e92e95d2e3b4be5b8eae425bc412dc51470c578c6991ba2f3d290a1b96a556853454ea0bb69336e54b9b7aa28354af998fae
-
SSDEEP
49152:3BiErnG0fwkAjwzYUrngrwjCBt4CFFDO84D2nng01WQhNzvS65R8ct:XnGvMzYUrhjCBZPO84DH01WQXzvP5xt
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000600000001429c-78.dat acprotect behavioral1/memory/1276-80-0x0000000010000000-0x0000000010021000-memory.dmp acprotect -
Executes dropped EXE 1 IoCs
pid Process 1276 4.exe -
Loads dropped DLL 1 IoCs
pid Process 1276 4.exe -
resource yara_rule behavioral1/files/0x000600000001429c-78.dat upx behavioral1/memory/1276-80-0x0000000010000000-0x0000000010021000-memory.dmp upx -
resource yara_rule behavioral1/files/0x0006000000014171-72.dat vmprotect behavioral1/memory/1276-73-0x0000000000400000-0x0000000000873000-memory.dmp vmprotect behavioral1/memory/1276-90-0x0000000000400000-0x0000000000873000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\默认公司名称\Firefox\4.exe msiexec.exe File created C:\Program Files (x86)\默认公司名称\Firefox\1.exe msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c983b.msi msiexec.exe File opened for modification C:\Windows\Installer\6c983b.msi msiexec.exe File created C:\Windows\Installer\6c983c.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI99FF.tmp msiexec.exe File created C:\Windows\Installer\6c983e.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1404 msiexec.exe 1404 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1128 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeSecurityPrivilege 1404 msiexec.exe Token: SeCreateTokenPrivilege 1128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1128 msiexec.exe Token: SeLockMemoryPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeMachineAccountPrivilege 1128 msiexec.exe Token: SeTcbPrivilege 1128 msiexec.exe Token: SeSecurityPrivilege 1128 msiexec.exe Token: SeTakeOwnershipPrivilege 1128 msiexec.exe Token: SeLoadDriverPrivilege 1128 msiexec.exe Token: SeSystemProfilePrivilege 1128 msiexec.exe Token: SeSystemtimePrivilege 1128 msiexec.exe Token: SeProfSingleProcessPrivilege 1128 msiexec.exe Token: SeIncBasePriorityPrivilege 1128 msiexec.exe Token: SeCreatePagefilePrivilege 1128 msiexec.exe Token: SeCreatePermanentPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 1128 msiexec.exe Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeDebugPrivilege 1128 msiexec.exe Token: SeAuditPrivilege 1128 msiexec.exe Token: SeSystemEnvironmentPrivilege 1128 msiexec.exe Token: SeChangeNotifyPrivilege 1128 msiexec.exe Token: SeRemoteShutdownPrivilege 1128 msiexec.exe Token: SeUndockPrivilege 1128 msiexec.exe Token: SeSyncAgentPrivilege 1128 msiexec.exe Token: SeEnableDelegationPrivilege 1128 msiexec.exe Token: SeManageVolumePrivilege 1128 msiexec.exe Token: SeImpersonatePrivilege 1128 msiexec.exe Token: SeCreateGlobalPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 580 vssvc.exe Token: SeRestorePrivilege 580 vssvc.exe Token: SeAuditPrivilege 580 vssvc.exe Token: SeBackupPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1156 DrvInst.exe Token: SeLoadDriverPrivilege 1156 DrvInst.exe Token: SeLoadDriverPrivilege 1156 DrvInst.exe Token: SeLoadDriverPrivilege 1156 DrvInst.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe Token: SeTakeOwnershipPrivilege 1404 msiexec.exe Token: SeRestorePrivilege 1404 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1128 msiexec.exe 1128 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1276 4.exe 1276 4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1404 wrote to memory of 1276 1404 msiexec.exe 32 PID 1404 wrote to memory of 1276 1404 msiexec.exe 32 PID 1404 wrote to memory of 1276 1404 msiexec.exe 32 PID 1404 wrote to memory of 1276 1404 msiexec.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Program Files (x86)\默认公司名称\Firefox\4.exe"C:\Program Files (x86)\默认公司名称\Firefox\4.exe" /Commit2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1276
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000328" "0000000000000564"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54ac3d60c4850e37a9b39976c1553df05
SHA145e5a0e35be7034e38543fc1a0c3f9ca3808fa5c
SHA256c53eac22482ec00bebb3c006d442c7b48a448f9d0cc16a743af9a88de1a1da6c
SHA5127b1e7044deab0f485e1968000df3409d003c38728ab6c07026b5818ed3f0550c32afa0149903e6696e306284b2680426ca8e38540292b35f60d3a8827d789753
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPQI3YTS\5A94SPCZ.htm
Filesize377KB
MD54774e0999e7b5d0539f1577c1f628a91
SHA188c0ae3139a4ac1c19b96297249f370d2627a245
SHA25665c65121c3deba8f282609f513ae2b8b2ca0c6f9c793c4eee9832510dff53de1
SHA512a16e35326639cb29299a5a06257a779b21145f39afa0e6528a625ec0f18048a67e1d8962258d55d19d7daf2e232c6d8945ef9dba862614410af9dd8c47c2470b
-
Filesize
41KB
MD5d0a62532cecac152bc553474d5899a94
SHA1fbb691817dfbae7518648c82304e42288b8354e3
SHA256242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49
SHA5129e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51