Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
23s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 08:11
Behavioral task
behavioral1
Sample
OINSTALL.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
OINSTALL.exe
Resource
win10v2004-20230915-en
Errors
General
-
Target
OINSTALL.exe
-
Size
11.8MB
-
MD5
ed1210b3c515ccdc89c8c919ace0d5c7
-
SHA1
98ad0c0de859178532ace50c5a3219f7326074f8
-
SHA256
4da5c99755138be6f7f6080c93b8d9262120dfef363092edef5c11f90f9d06a0
-
SHA512
c65f72871d819c3d9ed8c429dde870e20a284bb958cb376d7535f4e4749122d274121f836543626bdfd7f9fce227161310ef61034fc9b3f9a0a0788b7071f663
-
SSDEEP
196608:MxvDEJlrJ/3FMC7ujFXIDelqWRlrZOn+F2lEORWONUzoUz1SmEB9CI4J1GvrzkdN:Ww/3FMRN6el9rInQsAkUz1HOkyki+oA
Malware Config
Extracted
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 34 2512 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 files.dat -
resource yara_rule behavioral2/memory/4848-0-0x0000000000400000-0x0000000001A99000-memory.dmp upx behavioral2/memory/4848-36-0x0000000000400000-0x0000000001A99000-memory.dmp upx behavioral2/memory/4848-44-0x0000000000400000-0x0000000001A99000-memory.dmp upx behavioral2/memory/4848-50-0x0000000000400000-0x0000000001A99000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2512 powershell.exe 2512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3964 WMIC.exe Token: SeSecurityPrivilege 3964 WMIC.exe Token: SeTakeOwnershipPrivilege 3964 WMIC.exe Token: SeLoadDriverPrivilege 3964 WMIC.exe Token: SeSystemProfilePrivilege 3964 WMIC.exe Token: SeSystemtimePrivilege 3964 WMIC.exe Token: SeProfSingleProcessPrivilege 3964 WMIC.exe Token: SeIncBasePriorityPrivilege 3964 WMIC.exe Token: SeCreatePagefilePrivilege 3964 WMIC.exe Token: SeBackupPrivilege 3964 WMIC.exe Token: SeRestorePrivilege 3964 WMIC.exe Token: SeShutdownPrivilege 3964 WMIC.exe Token: SeDebugPrivilege 3964 WMIC.exe Token: SeSystemEnvironmentPrivilege 3964 WMIC.exe Token: SeRemoteShutdownPrivilege 3964 WMIC.exe Token: SeUndockPrivilege 3964 WMIC.exe Token: SeManageVolumePrivilege 3964 WMIC.exe Token: 33 3964 WMIC.exe Token: 34 3964 WMIC.exe Token: 35 3964 WMIC.exe Token: 36 3964 WMIC.exe Token: SeIncreaseQuotaPrivilege 3964 WMIC.exe Token: SeSecurityPrivilege 3964 WMIC.exe Token: SeTakeOwnershipPrivilege 3964 WMIC.exe Token: SeLoadDriverPrivilege 3964 WMIC.exe Token: SeSystemProfilePrivilege 3964 WMIC.exe Token: SeSystemtimePrivilege 3964 WMIC.exe Token: SeProfSingleProcessPrivilege 3964 WMIC.exe Token: SeIncBasePriorityPrivilege 3964 WMIC.exe Token: SeCreatePagefilePrivilege 3964 WMIC.exe Token: SeBackupPrivilege 3964 WMIC.exe Token: SeRestorePrivilege 3964 WMIC.exe Token: SeShutdownPrivilege 3964 WMIC.exe Token: SeDebugPrivilege 3964 WMIC.exe Token: SeSystemEnvironmentPrivilege 3964 WMIC.exe Token: SeRemoteShutdownPrivilege 3964 WMIC.exe Token: SeUndockPrivilege 3964 WMIC.exe Token: SeManageVolumePrivilege 3964 WMIC.exe Token: 33 3964 WMIC.exe Token: 34 3964 WMIC.exe Token: 35 3964 WMIC.exe Token: 36 3964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2404 WMIC.exe Token: SeSecurityPrivilege 2404 WMIC.exe Token: SeTakeOwnershipPrivilege 2404 WMIC.exe Token: SeLoadDriverPrivilege 2404 WMIC.exe Token: SeSystemProfilePrivilege 2404 WMIC.exe Token: SeSystemtimePrivilege 2404 WMIC.exe Token: SeProfSingleProcessPrivilege 2404 WMIC.exe Token: SeIncBasePriorityPrivilege 2404 WMIC.exe Token: SeCreatePagefilePrivilege 2404 WMIC.exe Token: SeBackupPrivilege 2404 WMIC.exe Token: SeRestorePrivilege 2404 WMIC.exe Token: SeShutdownPrivilege 2404 WMIC.exe Token: SeDebugPrivilege 2404 WMIC.exe Token: SeSystemEnvironmentPrivilege 2404 WMIC.exe Token: SeRemoteShutdownPrivilege 2404 WMIC.exe Token: SeUndockPrivilege 2404 WMIC.exe Token: SeManageVolumePrivilege 2404 WMIC.exe Token: 33 2404 WMIC.exe Token: 34 2404 WMIC.exe Token: 35 2404 WMIC.exe Token: 36 2404 WMIC.exe Token: SeIncreaseQuotaPrivilege 2404 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4880 LogonUI.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4848 wrote to memory of 3676 4848 OINSTALL.exe 86 PID 4848 wrote to memory of 3676 4848 OINSTALL.exe 86 PID 3676 wrote to memory of 3964 3676 cmd.exe 88 PID 3676 wrote to memory of 3964 3676 cmd.exe 88 PID 4848 wrote to memory of 1812 4848 OINSTALL.exe 89 PID 4848 wrote to memory of 1812 4848 OINSTALL.exe 89 PID 4848 wrote to memory of 2012 4848 OINSTALL.exe 92 PID 4848 wrote to memory of 2012 4848 OINSTALL.exe 92 PID 2012 wrote to memory of 2404 2012 cmd.exe 94 PID 2012 wrote to memory of 2404 2012 cmd.exe 94 PID 4848 wrote to memory of 2348 4848 OINSTALL.exe 95 PID 4848 wrote to memory of 2348 4848 OINSTALL.exe 95 PID 2348 wrote to memory of 2296 2348 cmd.exe 97 PID 2348 wrote to memory of 2296 2348 cmd.exe 97 PID 2348 wrote to memory of 2296 2348 cmd.exe 97 PID 4848 wrote to memory of 2512 4848 OINSTALL.exe 100 PID 4848 wrote to memory of 2512 4848 OINSTALL.exe 100 PID 4848 wrote to memory of 2512 4848 OINSTALL.exe 100 PID 4848 wrote to memory of 4008 4848 OINSTALL.exe 107 PID 4848 wrote to memory of 4008 4848 OINSTALL.exe 107 PID 4848 wrote to memory of 4008 4848 OINSTALL.exe 107 PID 4848 wrote to memory of 4464 4848 OINSTALL.exe 110 PID 4848 wrote to memory of 4464 4848 OINSTALL.exe 110 PID 4848 wrote to memory of 4464 4848 OINSTALL.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\OINSTALL.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
C:\Windows\system32\reg.exe"C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f2⤵PID:1812
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\files\files.datfiles.dat -y -pkmsauto3⤵
- Executes dropped EXE
PID:2296
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over353818\v32.cab') }"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Windows\SysWOW64\expand.exe"expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over3538182⤵
- Drops file in Windows directory
PID:4008
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over353818\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }2⤵PID:4464
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a0855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
765KB
MD5bb5569b15d68c10b7ff2d96b45825120
SHA1d6d2ed450aae4552f550f59bffe3dd42d8377835
SHA2564e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e
SHA512640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957
-
Filesize
765KB
MD5bb5569b15d68c10b7ff2d96b45825120
SHA1d6d2ed450aae4552f550f59bffe3dd42d8377835
SHA2564e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e
SHA512640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957
-
Filesize
11KB
MD51001374b634bbc8566a5ea123cf64abf
SHA135d1e1a9eded5354581f08d3207dd69d8cdb24d9
SHA2562d8c1045e4be1285c5b57790a6e6117e7d8e31f74c191193b7eec0b6a45ec2fe
SHA512e1fc58952f68e42b86fd222ba7c3c0d3ecfc20f3e83a8b1bdb2551ba70c2bab831729e499beace8c25f87ddaece0fe05d07b9c6a928a8af7b0d79e5cdb3635e2