Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
23/09/2023, 05:44 UTC
Static task
static1
Behavioral task
behavioral1
Sample
FootSwitch V7.1.0.msi
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
FootSwitch V7.1.0.msi
Resource
win10v2004-20230915-en
General
-
Target
FootSwitch V7.1.0.msi
-
Size
10.0MB
-
MD5
58ac97c5432546daea70335476123726
-
SHA1
654a875e5e4671052eb4c67ac53fbc0876241b04
-
SHA256
6927c384377b1dd9a746489f41cc1177101c5ca678ba1bb28c2e2496d8806acf
-
SHA512
1bf3cd99c375ef3b7c9078b13ce940f47219b2b290625e05e3032aa2ceebba8179a4699b3eb2f330f67238ba793e1e9e2fe60e1e8cbe1410e55d4601d4357c03
-
SSDEEP
196608:VKx7z/fq/fz0ZcEiYavmddz9NhLMuGvMbNMnNIhEFCTe5ezLfJwC:47z6D3E3FwuGQ4GEsTe5g
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2728 MsiExec.exe 2728 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3040 msiexec.exe Token: SeIncreaseQuotaPrivilege 3040 msiexec.exe Token: SeRestorePrivilege 1376 msiexec.exe Token: SeTakeOwnershipPrivilege 1376 msiexec.exe Token: SeSecurityPrivilege 1376 msiexec.exe Token: SeCreateTokenPrivilege 3040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3040 msiexec.exe Token: SeLockMemoryPrivilege 3040 msiexec.exe Token: SeIncreaseQuotaPrivilege 3040 msiexec.exe Token: SeMachineAccountPrivilege 3040 msiexec.exe Token: SeTcbPrivilege 3040 msiexec.exe Token: SeSecurityPrivilege 3040 msiexec.exe Token: SeTakeOwnershipPrivilege 3040 msiexec.exe Token: SeLoadDriverPrivilege 3040 msiexec.exe Token: SeSystemProfilePrivilege 3040 msiexec.exe Token: SeSystemtimePrivilege 3040 msiexec.exe Token: SeProfSingleProcessPrivilege 3040 msiexec.exe Token: SeIncBasePriorityPrivilege 3040 msiexec.exe Token: SeCreatePagefilePrivilege 3040 msiexec.exe Token: SeCreatePermanentPrivilege 3040 msiexec.exe Token: SeBackupPrivilege 3040 msiexec.exe Token: SeRestorePrivilege 3040 msiexec.exe Token: SeShutdownPrivilege 3040 msiexec.exe Token: SeDebugPrivilege 3040 msiexec.exe Token: SeAuditPrivilege 3040 msiexec.exe Token: SeSystemEnvironmentPrivilege 3040 msiexec.exe Token: SeChangeNotifyPrivilege 3040 msiexec.exe Token: SeRemoteShutdownPrivilege 3040 msiexec.exe Token: SeUndockPrivilege 3040 msiexec.exe Token: SeSyncAgentPrivilege 3040 msiexec.exe Token: SeEnableDelegationPrivilege 3040 msiexec.exe Token: SeManageVolumePrivilege 3040 msiexec.exe Token: SeImpersonatePrivilege 3040 msiexec.exe Token: SeCreateGlobalPrivilege 3040 msiexec.exe Token: SeCreateTokenPrivilege 3040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3040 msiexec.exe Token: SeLockMemoryPrivilege 3040 msiexec.exe Token: SeIncreaseQuotaPrivilege 3040 msiexec.exe Token: SeMachineAccountPrivilege 3040 msiexec.exe Token: SeTcbPrivilege 3040 msiexec.exe Token: SeSecurityPrivilege 3040 msiexec.exe Token: SeTakeOwnershipPrivilege 3040 msiexec.exe Token: SeLoadDriverPrivilege 3040 msiexec.exe Token: SeSystemProfilePrivilege 3040 msiexec.exe Token: SeSystemtimePrivilege 3040 msiexec.exe Token: SeProfSingleProcessPrivilege 3040 msiexec.exe Token: SeIncBasePriorityPrivilege 3040 msiexec.exe Token: SeCreatePagefilePrivilege 3040 msiexec.exe Token: SeCreatePermanentPrivilege 3040 msiexec.exe Token: SeBackupPrivilege 3040 msiexec.exe Token: SeRestorePrivilege 3040 msiexec.exe Token: SeShutdownPrivilege 3040 msiexec.exe Token: SeDebugPrivilege 3040 msiexec.exe Token: SeAuditPrivilege 3040 msiexec.exe Token: SeSystemEnvironmentPrivilege 3040 msiexec.exe Token: SeChangeNotifyPrivilege 3040 msiexec.exe Token: SeRemoteShutdownPrivilege 3040 msiexec.exe Token: SeUndockPrivilege 3040 msiexec.exe Token: SeSyncAgentPrivilege 3040 msiexec.exe Token: SeEnableDelegationPrivilege 3040 msiexec.exe Token: SeManageVolumePrivilege 3040 msiexec.exe Token: SeImpersonatePrivilege 3040 msiexec.exe Token: SeCreateGlobalPrivilege 3040 msiexec.exe Token: SeCreateTokenPrivilege 3040 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3040 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2728 1376 msiexec.exe 29 PID 1376 wrote to memory of 2728 1376 msiexec.exe 29 PID 1376 wrote to memory of 2728 1376 msiexec.exe 29 PID 1376 wrote to memory of 2728 1376 msiexec.exe 29 PID 1376 wrote to memory of 2728 1376 msiexec.exe 29 PID 1376 wrote to memory of 2728 1376 msiexec.exe 29 PID 1376 wrote to memory of 2728 1376 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\FootSwitch V7.1.0.msi"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CA05FF3F846810357C08CA71786A94B C2⤵
- Loads dropped DLL
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5373e46a1e858b6a10432d589de09732f
SHA126e71b5373999a23eb6e2a282de3683dd9d698b5
SHA2560357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041
SHA5129b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8
-
Filesize
298KB
MD5373e46a1e858b6a10432d589de09732f
SHA126e71b5373999a23eb6e2a282de3683dd9d698b5
SHA2560357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041
SHA5129b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8
-
Filesize
298KB
MD5373e46a1e858b6a10432d589de09732f
SHA126e71b5373999a23eb6e2a282de3683dd9d698b5
SHA2560357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041
SHA5129b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8
-
Filesize
298KB
MD5373e46a1e858b6a10432d589de09732f
SHA126e71b5373999a23eb6e2a282de3683dd9d698b5
SHA2560357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041
SHA5129b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8