Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
19/07/2023, 11:46
Static task
static1
Behavioral task
behavioral1
Sample
jre-6u25-windows-x64.exe
Resource
win7-20230712-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
jre-6u25-windows-x64.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
jre-6u25-windows-x64.exe
-
Size
16.1MB
-
MD5
44632e1d79bec1790fe72f76dbab1e75
-
SHA1
fe7248273ff57960fc151bf96d814bc8a297063b
-
SHA256
5b623c9877ad3c91fbf0b98b109f09f4d251856eeab637a46af29e946af4ef91
-
SHA512
5fe963bc83370abf35414f42e02b6fbd70d29d84c95b4292f81b040c8d33cdcdd9c0a81a8f3fc3ca3e8b8bfdb02d0ef6761729f88cf8eee44002092327b41fe9
-
SSDEEP
393216:e0iHkoRtJOLRYLmfjZC9Pyqbmvuu34VJ5LRK:Wko4eLgk97acJFM
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2864 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\java.exe msiexec.exe File opened for modification C:\Windows\system32\javaw.exe msiexec.exe File opened for modification C:\Windows\system32\javaws.exe msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2088 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2088 msiexec.exe Token: SeIncreaseQuotaPrivilege 2088 msiexec.exe Token: SeRestorePrivilege 1348 msiexec.exe Token: SeTakeOwnershipPrivilege 1348 msiexec.exe Token: SeSecurityPrivilege 1348 msiexec.exe Token: SeCreateTokenPrivilege 2088 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2088 msiexec.exe Token: SeLockMemoryPrivilege 2088 msiexec.exe Token: SeIncreaseQuotaPrivilege 2088 msiexec.exe Token: SeMachineAccountPrivilege 2088 msiexec.exe Token: SeTcbPrivilege 2088 msiexec.exe Token: SeSecurityPrivilege 2088 msiexec.exe Token: SeTakeOwnershipPrivilege 2088 msiexec.exe Token: SeLoadDriverPrivilege 2088 msiexec.exe Token: SeSystemProfilePrivilege 2088 msiexec.exe Token: SeSystemtimePrivilege 2088 msiexec.exe Token: SeProfSingleProcessPrivilege 2088 msiexec.exe Token: SeIncBasePriorityPrivilege 2088 msiexec.exe Token: SeCreatePagefilePrivilege 2088 msiexec.exe Token: SeCreatePermanentPrivilege 2088 msiexec.exe Token: SeBackupPrivilege 2088 msiexec.exe Token: SeRestorePrivilege 2088 msiexec.exe Token: SeShutdownPrivilege 2088 msiexec.exe Token: SeDebugPrivilege 2088 msiexec.exe Token: SeAuditPrivilege 2088 msiexec.exe Token: SeSystemEnvironmentPrivilege 2088 msiexec.exe Token: SeChangeNotifyPrivilege 2088 msiexec.exe Token: SeRemoteShutdownPrivilege 2088 msiexec.exe Token: SeUndockPrivilege 2088 msiexec.exe Token: SeSyncAgentPrivilege 2088 msiexec.exe Token: SeEnableDelegationPrivilege 2088 msiexec.exe Token: SeManageVolumePrivilege 2088 msiexec.exe Token: SeImpersonatePrivilege 2088 msiexec.exe Token: SeCreateGlobalPrivilege 2088 msiexec.exe Token: SeCreateTokenPrivilege 2088 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2088 msiexec.exe Token: SeLockMemoryPrivilege 2088 msiexec.exe Token: SeIncreaseQuotaPrivilege 2088 msiexec.exe Token: SeMachineAccountPrivilege 2088 msiexec.exe Token: SeTcbPrivilege 2088 msiexec.exe Token: SeSecurityPrivilege 2088 msiexec.exe Token: SeTakeOwnershipPrivilege 2088 msiexec.exe Token: SeLoadDriverPrivilege 2088 msiexec.exe Token: SeSystemProfilePrivilege 2088 msiexec.exe Token: SeSystemtimePrivilege 2088 msiexec.exe Token: SeProfSingleProcessPrivilege 2088 msiexec.exe Token: SeIncBasePriorityPrivilege 2088 msiexec.exe Token: SeCreatePagefilePrivilege 2088 msiexec.exe Token: SeCreatePermanentPrivilege 2088 msiexec.exe Token: SeBackupPrivilege 2088 msiexec.exe Token: SeRestorePrivilege 2088 msiexec.exe Token: SeShutdownPrivilege 2088 msiexec.exe Token: SeDebugPrivilege 2088 msiexec.exe Token: SeAuditPrivilege 2088 msiexec.exe Token: SeSystemEnvironmentPrivilege 2088 msiexec.exe Token: SeChangeNotifyPrivilege 2088 msiexec.exe Token: SeRemoteShutdownPrivilege 2088 msiexec.exe Token: SeUndockPrivilege 2088 msiexec.exe Token: SeSyncAgentPrivilege 2088 msiexec.exe Token: SeEnableDelegationPrivilege 2088 msiexec.exe Token: SeManageVolumePrivilege 2088 msiexec.exe Token: SeImpersonatePrivilege 2088 msiexec.exe Token: SeCreateGlobalPrivilege 2088 msiexec.exe Token: SeCreateTokenPrivilege 2088 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2088 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2088 1672 jre-6u25-windows-x64.exe 28 PID 1672 wrote to memory of 2088 1672 jre-6u25-windows-x64.exe 28 PID 1672 wrote to memory of 2088 1672 jre-6u25-windows-x64.exe 28 PID 1672 wrote to memory of 2088 1672 jre-6u25-windows-x64.exe 28 PID 1672 wrote to memory of 2088 1672 jre-6u25-windows-x64.exe 28 PID 1348 wrote to memory of 2864 1348 msiexec.exe 30 PID 1348 wrote to memory of 2864 1348 msiexec.exe 30 PID 1348 wrote to memory of 2864 1348 msiexec.exe 30 PID 1348 wrote to memory of 2864 1348 msiexec.exe 30 PID 1348 wrote to memory of 2864 1348 msiexec.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\jre-6u25-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jre-6u25-windows-x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\msiexec.exe"C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.6.0_25_x64\jre1.6.0_25.msi" METHOD=joff2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2088
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5CBA24004DC1E915B732534EB142B2CE C2⤵
- Loads dropped DLL
PID:2864
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD5dda7f40550bf9fe60d92c21a8b178ec2
SHA1c521736f4b82ff666e5cadef80101dce08e1a5d3
SHA25603557cf4e516fb1da79a7c9b0bb886235d98f6f006fe98cada13c27fd890a798
SHA5127ae993c33c6b2e64e69b98d5a85bc654884dc4ce4d90dd71340495c1788683031a18aa5e691dff09c8a2aa3f725fdb730785901a670caf890c941606ad5afc26
-
Filesize
103KB
MD5d1c4f355d9924611bf790ab7e9973806
SHA1b688845aea73f6696c14187bdf31c46242090272
SHA2561096d8b0e56e3f148ad1ef2dd2047344196719d2229e57d69d7d87b73c505f94
SHA5125fb79e0a88350f0508570062b7206f0f3161e738f7d9e9a217d74776a143dcd5e399741eedca71e0dea16f09a5b2c9f782750d6b0951aaf0d48603cf95f7b1bb
-
Filesize
103KB
MD5d1c4f355d9924611bf790ab7e9973806
SHA1b688845aea73f6696c14187bdf31c46242090272
SHA2561096d8b0e56e3f148ad1ef2dd2047344196719d2229e57d69d7d87b73c505f94
SHA5125fb79e0a88350f0508570062b7206f0f3161e738f7d9e9a217d74776a143dcd5e399741eedca71e0dea16f09a5b2c9f782750d6b0951aaf0d48603cf95f7b1bb