Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Installer(...up.exe
windows7-x64
7Installer(...up.exe
windows10-2004-x64
7Surveillan...em.msi
windows7-x64
7Surveillan...em.msi
windows10-2004-x64
7Surveillan...al.pdf
windows7-x64
1Surveillan...al.pdf
windows10-2004-x64
1Surveillan...up.exe
windows7-x64
7Surveillan...up.exe
windows10-2004-x64
7Analysis
-
max time kernel
126s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2023, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
Installer(1.5)_2005-09-27/setup.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
Installer(1.5)_2005-09-27/setup.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Surveillance System(1.1.00052)_2005-09-28/Surveillance System.msi
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral4
Sample
Surveillance System(1.1.00052)_2005-09-28/Surveillance System.msi
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Surveillance System(1.1.00052)_2005-09-28/UserManual.pdf
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral6
Sample
Surveillance System(1.1.00052)_2005-09-28/UserManual.pdf
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Surveillance System(1.1.00052)_2005-09-28/setup.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral8
Sample
Surveillance System(1.1.00052)_2005-09-28/setup.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
General
-
Target
Surveillance System(1.1.00052)_2005-09-28/Surveillance System.msi
-
Size
841KB
-
MD5
8471e53a5fc2661f4cd0a9d6151eead9
-
SHA1
575886d0310d4d00c90ff937b30e1dd0ca87b228
-
SHA256
47a90f403618ab2e7c67898af3bc8abf6a8cd8a210b5c48e28b844e63bef0ad5
-
SHA512
cdd5eda0ab639494e10cf8be9c00401b761e5fa3f8177bbf8487c3c109ca5a11fe3b4cf764508b25f779751fc5b081855c6e564bee2137739633657ecf01bca1
-
SSDEEP
6144:+QC/riBt6iJhfKGGn+QAXUvcHXJqEW+T0yEgZdYUsUt7tYxasUfed:iTiBAiJhfu+QkWcKk0odFt5BsUU
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2164 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3516 msiexec.exe Token: SeIncreaseQuotaPrivilege 3516 msiexec.exe Token: SeSecurityPrivilege 2968 msiexec.exe Token: SeCreateTokenPrivilege 3516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3516 msiexec.exe Token: SeLockMemoryPrivilege 3516 msiexec.exe Token: SeIncreaseQuotaPrivilege 3516 msiexec.exe Token: SeMachineAccountPrivilege 3516 msiexec.exe Token: SeTcbPrivilege 3516 msiexec.exe Token: SeSecurityPrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeLoadDriverPrivilege 3516 msiexec.exe Token: SeSystemProfilePrivilege 3516 msiexec.exe Token: SeSystemtimePrivilege 3516 msiexec.exe Token: SeProfSingleProcessPrivilege 3516 msiexec.exe Token: SeIncBasePriorityPrivilege 3516 msiexec.exe Token: SeCreatePagefilePrivilege 3516 msiexec.exe Token: SeCreatePermanentPrivilege 3516 msiexec.exe Token: SeBackupPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeShutdownPrivilege 3516 msiexec.exe Token: SeDebugPrivilege 3516 msiexec.exe Token: SeAuditPrivilege 3516 msiexec.exe Token: SeSystemEnvironmentPrivilege 3516 msiexec.exe Token: SeChangeNotifyPrivilege 3516 msiexec.exe Token: SeRemoteShutdownPrivilege 3516 msiexec.exe Token: SeUndockPrivilege 3516 msiexec.exe Token: SeSyncAgentPrivilege 3516 msiexec.exe Token: SeEnableDelegationPrivilege 3516 msiexec.exe Token: SeManageVolumePrivilege 3516 msiexec.exe Token: SeImpersonatePrivilege 3516 msiexec.exe Token: SeCreateGlobalPrivilege 3516 msiexec.exe Token: SeCreateTokenPrivilege 3516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3516 msiexec.exe Token: SeLockMemoryPrivilege 3516 msiexec.exe Token: SeIncreaseQuotaPrivilege 3516 msiexec.exe Token: SeMachineAccountPrivilege 3516 msiexec.exe Token: SeTcbPrivilege 3516 msiexec.exe Token: SeSecurityPrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeLoadDriverPrivilege 3516 msiexec.exe Token: SeSystemProfilePrivilege 3516 msiexec.exe Token: SeSystemtimePrivilege 3516 msiexec.exe Token: SeProfSingleProcessPrivilege 3516 msiexec.exe Token: SeIncBasePriorityPrivilege 3516 msiexec.exe Token: SeCreatePagefilePrivilege 3516 msiexec.exe Token: SeCreatePermanentPrivilege 3516 msiexec.exe Token: SeBackupPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeShutdownPrivilege 3516 msiexec.exe Token: SeDebugPrivilege 3516 msiexec.exe Token: SeAuditPrivilege 3516 msiexec.exe Token: SeSystemEnvironmentPrivilege 3516 msiexec.exe Token: SeChangeNotifyPrivilege 3516 msiexec.exe Token: SeRemoteShutdownPrivilege 3516 msiexec.exe Token: SeUndockPrivilege 3516 msiexec.exe Token: SeSyncAgentPrivilege 3516 msiexec.exe Token: SeEnableDelegationPrivilege 3516 msiexec.exe Token: SeManageVolumePrivilege 3516 msiexec.exe Token: SeImpersonatePrivilege 3516 msiexec.exe Token: SeCreateGlobalPrivilege 3516 msiexec.exe Token: SeCreateTokenPrivilege 3516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3516 msiexec.exe Token: SeLockMemoryPrivilege 3516 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3516 msiexec.exe 3516 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2164 2968 msiexec.exe 93 PID 2968 wrote to memory of 2164 2968 msiexec.exe 93 PID 2968 wrote to memory of 2164 2968 msiexec.exe 93
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Surveillance System(1.1.00052)_2005-09-28\Surveillance System.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3516
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FE0438BCD905757AF3EB4838A12B97AB C2⤵
- Loads dropped DLL
PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5e460051d690b8f6e40aeb45c70982c61
SHA194fb74bb1aadbda29538079cf13f1626123f6a4b
SHA2562cd0a82fdb3ea5e1021aafa71452ec9b03cc0976ea967fa88f0aba19dd2cb8db
SHA51281ff8c6cf6b90558afaa7d03e4a7281ec9575f610509a8f0bade0ff3375ae03863a9661d60dc4b062195414ecefa1445d5d7f1a7e857b6b2e0bf939bcef3f1c4
-
Filesize
100KB
MD5e460051d690b8f6e40aeb45c70982c61
SHA194fb74bb1aadbda29538079cf13f1626123f6a4b
SHA2562cd0a82fdb3ea5e1021aafa71452ec9b03cc0976ea967fa88f0aba19dd2cb8db
SHA51281ff8c6cf6b90558afaa7d03e4a7281ec9575f610509a8f0bade0ff3375ae03863a9661d60dc4b062195414ecefa1445d5d7f1a7e857b6b2e0bf939bcef3f1c4