Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
06/08/2023, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
1.msi
Resource
win7-20230712-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1.msi
Resource
win10v2004-20230703-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
1.msi
-
Size
680KB
-
MD5
3035101d044a4425dbd5a523ace428c3
-
SHA1
f08ecf54bb93077fc32cef5f6915ce569e38bed1
-
SHA256
f4de4f89d51790fbcc5e69d1daec304ac0433179973bfcb1828c8691a0dc5e84
-
SHA512
d60db29c92f219c9f69debc1ad1c50cf74b858c2e9e2bd4ed00f2bb6e1e9c8bbf7e9240ec11cc7e46cafc2a0651a462f2c6c1c42824b913bedf747a1b1dae9d0
-
SSDEEP
12288:z6hgTBOyy3AhX+JP4OduQDNZ4hxUxBjcyHnUaK6BpefgRY1bHzv7F/EfO:W+dIu+zduQDD4hxUYy0Z6B4flbHLtEW
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2532 Setup.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f77315e.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f77315d.msi msiexec.exe File created C:\Windows\Installer\f773160.msi msiexec.exe File created C:\Windows\Installer\f77315d.msi msiexec.exe File created C:\Windows\Installer\f77315e.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI338E.tmp msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2488 msiexec.exe 2488 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeSecurityPrivilege 2488 msiexec.exe Token: SeCreateTokenPrivilege 1520 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1520 msiexec.exe Token: SeLockMemoryPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeMachineAccountPrivilege 1520 msiexec.exe Token: SeTcbPrivilege 1520 msiexec.exe Token: SeSecurityPrivilege 1520 msiexec.exe Token: SeTakeOwnershipPrivilege 1520 msiexec.exe Token: SeLoadDriverPrivilege 1520 msiexec.exe Token: SeSystemProfilePrivilege 1520 msiexec.exe Token: SeSystemtimePrivilege 1520 msiexec.exe Token: SeProfSingleProcessPrivilege 1520 msiexec.exe Token: SeIncBasePriorityPrivilege 1520 msiexec.exe Token: SeCreatePagefilePrivilege 1520 msiexec.exe Token: SeCreatePermanentPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 1520 msiexec.exe Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeDebugPrivilege 1520 msiexec.exe Token: SeAuditPrivilege 1520 msiexec.exe Token: SeSystemEnvironmentPrivilege 1520 msiexec.exe Token: SeChangeNotifyPrivilege 1520 msiexec.exe Token: SeRemoteShutdownPrivilege 1520 msiexec.exe Token: SeUndockPrivilege 1520 msiexec.exe Token: SeSyncAgentPrivilege 1520 msiexec.exe Token: SeEnableDelegationPrivilege 1520 msiexec.exe Token: SeManageVolumePrivilege 1520 msiexec.exe Token: SeImpersonatePrivilege 1520 msiexec.exe Token: SeCreateGlobalPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 2112 vssvc.exe Token: SeRestorePrivilege 2112 vssvc.exe Token: SeAuditPrivilege 2112 vssvc.exe Token: SeBackupPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2920 DrvInst.exe Token: SeLoadDriverPrivilege 2920 DrvInst.exe Token: SeLoadDriverPrivilege 2920 DrvInst.exe Token: SeLoadDriverPrivilege 2920 DrvInst.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1520 msiexec.exe 1520 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2532 2488 msiexec.exe 34 PID 2488 wrote to memory of 2532 2488 msiexec.exe 34 PID 2488 wrote to memory of 2532 2488 msiexec.exe 34 PID 2488 wrote to memory of 2532 2488 msiexec.exe 34 PID 2488 wrote to memory of 2532 2488 msiexec.exe 34 PID 2488 wrote to memory of 2532 2488 msiexec.exe 34 PID 2488 wrote to memory of 2532 2488 msiexec.exe 34
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1520
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Software Installer\Setup.exe"C:\Users\Admin\AppData\Local\Software Installer\Setup.exe"2⤵
- Executes dropped EXE
PID:2532
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004B4" "0000000000000554"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD59334f526426dcca215f2cc315c60cd61
SHA10f7304543c5b93c1f17040d59154c3112b17e2b6
SHA25602d24bda8b0a4a63426bf4f8ace688b32757ea879a15a6fd3fd325add4268f46
SHA512b54dcd794745fadf359722944c8b8cc3eaf7a97a820bdca435d884efba67abbb756b519d69f7b409c5ae5ba8e20e3a35b20a6d42ce85009c4d1edcb4ce8a8453
-
Filesize
371KB
MD52cfed8e9b117e80c7645c40e6dc0abc9
SHA1cea302664bdd9f01473ca25d0863f926a74bca42
SHA256260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee
SHA51288a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1
-
Filesize
371KB
MD52cfed8e9b117e80c7645c40e6dc0abc9
SHA1cea302664bdd9f01473ca25d0863f926a74bca42
SHA256260bac5419a77db5138a3da5140e86c679d001baccbcde4b626c139ee2c4e0ee
SHA51288a21294d04284bd09a0237edc1df95c086dc5c19bcbfe0e4c4ebce030634ee0946f41eeb3e6a7ab7caf07eb863aff5b61de5440c1ab512a36ecf85323b302d1
-
Filesize
680KB
MD53035101d044a4425dbd5a523ace428c3
SHA1f08ecf54bb93077fc32cef5f6915ce569e38bed1
SHA256f4de4f89d51790fbcc5e69d1daec304ac0433179973bfcb1828c8691a0dc5e84
SHA512d60db29c92f219c9f69debc1ad1c50cf74b858c2e9e2bd4ed00f2bb6e1e9c8bbf7e9240ec11cc7e46cafc2a0651a462f2c6c1c42824b913bedf747a1b1dae9d0