Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
275s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-es -
resource tags
arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
02/10/2023, 14:55
Static task
static1
General
-
Target
-
Size
10.3MB
-
MD5
992c82588ded6e98b3cb3722215e93f7
-
SHA1
ed8c79e631efd261b86a63bc33eb8d7b9d620f56
-
SHA256
eaf48d4a801299a857b6217d650dbedd7711482971a20cf9273813a8b2052949
-
SHA512
18cd9989a821dc299eb51b8ea255666e308479f62417b8ea53593e9a3e9c3c4ee7d1898849872d384ca60b3b2c12fdf95d20c8326db0583e923b7c9e6e6cbeae
-
SSDEEP
49152:OVfU/PIAMJQChq91XrQxsHcFTSalJ+GbBV67lj6dJ538yAVVU6a9UcZM17Iw/L8M:bIRTqbpcJ5wVVXH4rsyzA0
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 14 3248 MsiExec.exe 24 3248 MsiExec.exe -
Executes dropped EXE 1 IoCs
pid Process 1860 Raspberry.exe -
Loads dropped DLL 7 IoCs
pid Process 2072 MsiExec.exe 2072 MsiExec.exe 2072 MsiExec.exe 2072 MsiExec.exe 3248 MsiExec.exe 1860 Raspberry.exe 1860 Raspberry.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raspberry = "C:\\xvlsgkzs\\Raspberry.exe" Raspberry.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\e577511.msi msiexec.exe File opened for modification C:\Windows\Installer\e577511.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI758E.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{0M285RKI-1FL8-AP6G-65EI-4B3IKUJ2OKM6} msiexec.exe File opened for modification C:\Windows\Installer\MSI77E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI78AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI78CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7AB2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B11.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 800 msiexec.exe 800 msiexec.exe 3248 MsiExec.exe 3248 MsiExec.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe 1860 Raspberry.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1860 Raspberry.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 4728 msiexec.exe Token: SeIncreaseQuotaPrivilege 4728 msiexec.exe Token: SeSecurityPrivilege 800 msiexec.exe Token: SeCreateTokenPrivilege 4728 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4728 msiexec.exe Token: SeLockMemoryPrivilege 4728 msiexec.exe Token: SeIncreaseQuotaPrivilege 4728 msiexec.exe Token: SeMachineAccountPrivilege 4728 msiexec.exe Token: SeTcbPrivilege 4728 msiexec.exe Token: SeSecurityPrivilege 4728 msiexec.exe Token: SeTakeOwnershipPrivilege 4728 msiexec.exe Token: SeLoadDriverPrivilege 4728 msiexec.exe Token: SeSystemProfilePrivilege 4728 msiexec.exe Token: SeSystemtimePrivilege 4728 msiexec.exe Token: SeProfSingleProcessPrivilege 4728 msiexec.exe Token: SeIncBasePriorityPrivilege 4728 msiexec.exe Token: SeCreatePagefilePrivilege 4728 msiexec.exe Token: SeCreatePermanentPrivilege 4728 msiexec.exe Token: SeBackupPrivilege 4728 msiexec.exe Token: SeRestorePrivilege 4728 msiexec.exe Token: SeShutdownPrivilege 4728 msiexec.exe Token: SeDebugPrivilege 4728 msiexec.exe Token: SeAuditPrivilege 4728 msiexec.exe Token: SeSystemEnvironmentPrivilege 4728 msiexec.exe Token: SeChangeNotifyPrivilege 4728 msiexec.exe Token: SeRemoteShutdownPrivilege 4728 msiexec.exe Token: SeUndockPrivilege 4728 msiexec.exe Token: SeSyncAgentPrivilege 4728 msiexec.exe Token: SeEnableDelegationPrivilege 4728 msiexec.exe Token: SeManageVolumePrivilege 4728 msiexec.exe Token: SeImpersonatePrivilege 4728 msiexec.exe Token: SeCreateGlobalPrivilege 4728 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe Token: SeRestorePrivilege 800 msiexec.exe Token: SeTakeOwnershipPrivilege 800 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4728 msiexec.exe 4728 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 800 wrote to memory of 2072 800 msiexec.exe 87 PID 800 wrote to memory of 2072 800 msiexec.exe 87 PID 800 wrote to memory of 2072 800 msiexec.exe 87 PID 800 wrote to memory of 3248 800 msiexec.exe 88 PID 800 wrote to memory of 3248 800 msiexec.exe 88 PID 3248 wrote to memory of 1860 3248 MsiExec.exe 94 PID 3248 wrote to memory of 1860 3248 MsiExec.exe 94 PID 3248 wrote to memory of 1860 3248 MsiExec.exe 94
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4728
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A8727CD33E2BA15F620130F666C11FF12⤵
- Loads dropped DLL
PID:2072
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 40E85F03B646E073BB7E20E085A70B5A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\xvlsgkzs\Raspberry.exe"C:\xvlsgkzs\Raspberry.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571B
MD5910d6c8a82bea35842801545c1223190
SHA1e6d78afccf58cdc36fc20781b0d7fd45c88dae7b
SHA25681549cd26da12bcefef5b23928974b74f95a17e865d6f2f894ada621202d90b5
SHA5120ec29e10600a63d2b7894dc11e14f7c770f1d6f8a857494f2281c3793c9932b23c6fb42026b5a9a798cf7e6fbde619f1252ca583ddf57cacd8d0c5e42da09075
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
9.2MB
MD5b97d11c60b8671f3fa4f0f223c380284
SHA11eec15a8d7254f64e6ef37246d5a80b8a1306c78
SHA2563faa2be8a3f2ef31038e5457bef9cbe4df43dc8d8814eb7e82fa9800e2044632
SHA51221e9c40c5b1d10bbbee3e1f897e665ba6606fb47607187db2913daefd67ce65321197db30b405b6ca5ab1c848924c7e28b99e5722796ce06f970bba845bd573b
-
Filesize
9.2MB
MD5b97d11c60b8671f3fa4f0f223c380284
SHA11eec15a8d7254f64e6ef37246d5a80b8a1306c78
SHA2563faa2be8a3f2ef31038e5457bef9cbe4df43dc8d8814eb7e82fa9800e2044632
SHA51221e9c40c5b1d10bbbee3e1f897e665ba6606fb47607187db2913daefd67ce65321197db30b405b6ca5ab1c848924c7e28b99e5722796ce06f970bba845bd573b
-
Filesize
5.0MB
MD518a2da2200f4003283e21ccf4934e2f0
SHA1a89d69020672b3f19a61612001c4b36d5c8c0b8a
SHA256042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88
SHA51217e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b
-
Filesize
5.0MB
MD518a2da2200f4003283e21ccf4934e2f0
SHA1a89d69020672b3f19a61612001c4b36d5c8c0b8a
SHA256042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88
SHA51217e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b
-
Filesize
5.0MB
MD518a2da2200f4003283e21ccf4934e2f0
SHA1a89d69020672b3f19a61612001c4b36d5c8c0b8a
SHA256042e5050d9ec13604600373da1a5b513cfb1c4ec8ca13c30d1df3c81e619ad88
SHA51217e51f32a42dc5e368aba69ea70b35abb863f730586266f28b8f3d69586366203e05203e1be0fa04e78b578149e822d6f4290410876bc0caf98d8a6525cac09b
-
Filesize
32.2MB
MD59557b0b5c7f9a3f50803eea529363b0b
SHA100beee4299ae561038b913defd2705f6f115c343
SHA25615fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563
SHA512b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438
-
Filesize
32.2MB
MD59557b0b5c7f9a3f50803eea529363b0b
SHA100beee4299ae561038b913defd2705f6f115c343
SHA25615fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563
SHA512b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438
-
Filesize
32.2MB
MD59557b0b5c7f9a3f50803eea529363b0b
SHA100beee4299ae561038b913defd2705f6f115c343
SHA25615fc01c1bf14d19fe2e6d43ea999efd9c7d7bcc29aae38e2a71b70494621a563
SHA512b5fe44de9804f3dcdec911ee29dcd8b584d9ecb82f8d92fee8fb49688174c56bc40f1e3c7513943ba3b2dd7effba8582a1133f3023ad07feae1d8d3e11c54438