Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
OpenVPN254I603amd64msi.msi
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
OpenVPN254I603amd64msi.msi
Resource
win10v2004-20230703-en
General
-
Target
OpenVPN254I603amd64msi.msi
-
Size
4.2MB
-
MD5
a3ca10a71263645df2bb906cbedb3929
-
SHA1
38e0a4d778e942e0a65fa46da3ccc0e1691bc9ea
-
SHA256
6f8e093a7fdcaaba48a06b03bb263ef760ef7ca7ffc3312e27480373f91822b4
-
SHA512
5df382c97555410c435c5931865d55609a11a11bc9728ef0062b9dc0db2871f6115445799612ae07f9bd7bf37a88d5e5bc68c66890a85b82bcbd34e89ea8f194
-
SSDEEP
98304:SRZhtak954vdGNvOV9fE6Haf731Lqv38yNyOtu:AhX9qvdGNKH8wv3XQO
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 3424 msiexec.exe 4 3424 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 4280 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3424 msiexec.exe Token: SeIncreaseQuotaPrivilege 3424 msiexec.exe Token: SeSecurityPrivilege 4700 msiexec.exe Token: SeCreateTokenPrivilege 3424 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3424 msiexec.exe Token: SeLockMemoryPrivilege 3424 msiexec.exe Token: SeIncreaseQuotaPrivilege 3424 msiexec.exe Token: SeMachineAccountPrivilege 3424 msiexec.exe Token: SeTcbPrivilege 3424 msiexec.exe Token: SeSecurityPrivilege 3424 msiexec.exe Token: SeTakeOwnershipPrivilege 3424 msiexec.exe Token: SeLoadDriverPrivilege 3424 msiexec.exe Token: SeSystemProfilePrivilege 3424 msiexec.exe Token: SeSystemtimePrivilege 3424 msiexec.exe Token: SeProfSingleProcessPrivilege 3424 msiexec.exe Token: SeIncBasePriorityPrivilege 3424 msiexec.exe Token: SeCreatePagefilePrivilege 3424 msiexec.exe Token: SeCreatePermanentPrivilege 3424 msiexec.exe Token: SeBackupPrivilege 3424 msiexec.exe Token: SeRestorePrivilege 3424 msiexec.exe Token: SeShutdownPrivilege 3424 msiexec.exe Token: SeDebugPrivilege 3424 msiexec.exe Token: SeAuditPrivilege 3424 msiexec.exe Token: SeSystemEnvironmentPrivilege 3424 msiexec.exe Token: SeChangeNotifyPrivilege 3424 msiexec.exe Token: SeRemoteShutdownPrivilege 3424 msiexec.exe Token: SeUndockPrivilege 3424 msiexec.exe Token: SeSyncAgentPrivilege 3424 msiexec.exe Token: SeEnableDelegationPrivilege 3424 msiexec.exe Token: SeManageVolumePrivilege 3424 msiexec.exe Token: SeImpersonatePrivilege 3424 msiexec.exe Token: SeCreateGlobalPrivilege 3424 msiexec.exe Token: SeCreateTokenPrivilege 3424 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3424 msiexec.exe Token: SeLockMemoryPrivilege 3424 msiexec.exe Token: SeIncreaseQuotaPrivilege 3424 msiexec.exe Token: SeMachineAccountPrivilege 3424 msiexec.exe Token: SeTcbPrivilege 3424 msiexec.exe Token: SeSecurityPrivilege 3424 msiexec.exe Token: SeTakeOwnershipPrivilege 3424 msiexec.exe Token: SeLoadDriverPrivilege 3424 msiexec.exe Token: SeSystemProfilePrivilege 3424 msiexec.exe Token: SeSystemtimePrivilege 3424 msiexec.exe Token: SeProfSingleProcessPrivilege 3424 msiexec.exe Token: SeIncBasePriorityPrivilege 3424 msiexec.exe Token: SeCreatePagefilePrivilege 3424 msiexec.exe Token: SeCreatePermanentPrivilege 3424 msiexec.exe Token: SeBackupPrivilege 3424 msiexec.exe Token: SeRestorePrivilege 3424 msiexec.exe Token: SeShutdownPrivilege 3424 msiexec.exe Token: SeDebugPrivilege 3424 msiexec.exe Token: SeAuditPrivilege 3424 msiexec.exe Token: SeSystemEnvironmentPrivilege 3424 msiexec.exe Token: SeChangeNotifyPrivilege 3424 msiexec.exe Token: SeRemoteShutdownPrivilege 3424 msiexec.exe Token: SeUndockPrivilege 3424 msiexec.exe Token: SeSyncAgentPrivilege 3424 msiexec.exe Token: SeEnableDelegationPrivilege 3424 msiexec.exe Token: SeManageVolumePrivilege 3424 msiexec.exe Token: SeImpersonatePrivilege 3424 msiexec.exe Token: SeCreateGlobalPrivilege 3424 msiexec.exe Token: SeCreateTokenPrivilege 3424 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3424 msiexec.exe Token: SeLockMemoryPrivilege 3424 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3424 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4700 wrote to memory of 4280 4700 msiexec.exe 81 PID 4700 wrote to memory of 4280 4700 msiexec.exe 81
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\OpenVPN254I603amd64msi.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3424
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding E8C4A72B001FDACED939A629A68F8D6D C2⤵
- Loads dropped DLL
PID:4280
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5738ebc5c63fda7087784b7ef8f749332
SHA1ec49f57766f7b447d0d1935e27604de9a550a3f6
SHA2564d2b74f18d570e98f41acc4063dfbb7686e5e08052869dce32429eae7c635075
SHA5127aa2f3ff49a3756fc199fcdbda60d998d60bea26e36350bcda1e30cd7e10e30bcc5acb40eb983c5c1fa5a7076804cc48664dccacb85dff84e22374a761da7df5
-
Filesize
189KB
MD5738ebc5c63fda7087784b7ef8f749332
SHA1ec49f57766f7b447d0d1935e27604de9a550a3f6
SHA2564d2b74f18d570e98f41acc4063dfbb7686e5e08052869dce32429eae7c635075
SHA5127aa2f3ff49a3756fc199fcdbda60d998d60bea26e36350bcda1e30cd7e10e30bcc5acb40eb983c5c1fa5a7076804cc48664dccacb85dff84e22374a761da7df5