Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10/10/2023, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092_JC.msi
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092_JC.msi
Resource
win10v2004-20230915-en
Errors
General
-
Target
e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092_JC.msi
-
Size
1.2MB
-
MD5
91ab2c89608fc49633b2474493eea552
-
SHA1
57149066ebee5648344587be63eb467d3d765e14
-
SHA256
e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092
-
SHA512
e67db51fabc2e9ab3601ad48be4cadf48c799cc3164e86b805e118170dd89e4a0bac03dc9690528e3e606dad123526e29abe7e366865fb2e9c3ec3e953c2e90c
-
SSDEEP
24576:dg+xLNIYVNMvZCFlp8zBQSc0ZoCEqKlqS0Ygll5RRYM/ZXAAZ:dg6IY4W8zBQSc0ZnRKr8RRYGZXAA
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 3036 powershell.exe 7 3036 powershell.exe 9 3036 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LowBatBracabals.lnk powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1800 MSIC384.tmp -
Loads dropped DLL 3 IoCs
pid Process 2656 MsiExec.exe 2656 MsiExec.exe 2656 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_4D44E3D3299B6D802EEC054E69B13A57 = "\"C:\\Users\\Admin\\Documents\\AMD64_\\MyDoct63D68FD®\\SearchFilterHostgistrat3d02©.exe\" --no-startup-window --win-session-start /prefetch:5" powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f762fca.ipi msiexec.exe File opened for modification C:\Windows\Installer\f762fca.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC384.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI31DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\f762fc7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3025.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3249.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC2A6.tmp msiexec.exe File created C:\Windows\Installer\f762fc7.msi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2696 msiexec.exe 2696 msiexec.exe 3036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 2060 msiexec.exe Token: SeIncreaseQuotaPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeSecurityPrivilege 2696 msiexec.exe Token: SeCreateTokenPrivilege 2060 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2060 msiexec.exe Token: SeLockMemoryPrivilege 2060 msiexec.exe Token: SeIncreaseQuotaPrivilege 2060 msiexec.exe Token: SeMachineAccountPrivilege 2060 msiexec.exe Token: SeTcbPrivilege 2060 msiexec.exe Token: SeSecurityPrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeLoadDriverPrivilege 2060 msiexec.exe Token: SeSystemProfilePrivilege 2060 msiexec.exe Token: SeSystemtimePrivilege 2060 msiexec.exe Token: SeProfSingleProcessPrivilege 2060 msiexec.exe Token: SeIncBasePriorityPrivilege 2060 msiexec.exe Token: SeCreatePagefilePrivilege 2060 msiexec.exe Token: SeCreatePermanentPrivilege 2060 msiexec.exe Token: SeBackupPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeShutdownPrivilege 2060 msiexec.exe Token: SeDebugPrivilege 2060 msiexec.exe Token: SeAuditPrivilege 2060 msiexec.exe Token: SeSystemEnvironmentPrivilege 2060 msiexec.exe Token: SeChangeNotifyPrivilege 2060 msiexec.exe Token: SeRemoteShutdownPrivilege 2060 msiexec.exe Token: SeUndockPrivilege 2060 msiexec.exe Token: SeSyncAgentPrivilege 2060 msiexec.exe Token: SeEnableDelegationPrivilege 2060 msiexec.exe Token: SeManageVolumePrivilege 2060 msiexec.exe Token: SeImpersonatePrivilege 2060 msiexec.exe Token: SeCreateGlobalPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeRestorePrivilege 2696 msiexec.exe Token: SeTakeOwnershipPrivilege 2696 msiexec.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeShutdownPrivilege 1020 shutdown.exe Token: SeRemoteShutdownPrivilege 1020 shutdown.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2060 msiexec.exe 2060 msiexec.exe 3036 powershell.exe 3036 powershell.exe 3036 powershell.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3036 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 2656 2696 msiexec.exe 29 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2696 wrote to memory of 1800 2696 msiexec.exe 30 PID 2580 wrote to memory of 2968 2580 cmd.exe 33 PID 2580 wrote to memory of 2968 2580 cmd.exe 33 PID 2580 wrote to memory of 2968 2580 cmd.exe 33 PID 2580 wrote to memory of 3036 2580 cmd.exe 34 PID 2580 wrote to memory of 3036 2580 cmd.exe 34 PID 2580 wrote to memory of 3036 2580 cmd.exe 34 PID 3036 wrote to memory of 1020 3036 powershell.exe 37 PID 3036 wrote to memory of 1020 3036 powershell.exe 37 PID 3036 wrote to memory of 1020 3036 powershell.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e10907688283346891b3a0232545ec3b7cf926c402f5456a6fa1cd849e7e9092_JC.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2060
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0C92E05F5DB59AEC7031249535EDF522⤵
- Loads dropped DLL
PID:2656
-
-
C:\Windows\Installer\MSIC384.tmp"C:\Windows\Installer\MSIC384.tmp" /DontWait /HideWindow "C:\Users\Admin\AppData\Roaming\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\fDdpuNcG.cmd"2⤵
- Executes dropped EXE
PID:1800
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\fDdpuNcG.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo %fuGR5S?TqAPRkx% "2⤵PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -windowstyle hidden -ExecutionPolicy Bypass -nop -NoExit -Command -2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\shutdown.exe"C:\Windows\system32\shutdown.exe" -r -f -t 10 -c "Windows Updated Successfully"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1772
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fedab0e1782c6013b727b7800bbcb72d
SHA19e5780ba33a2502c5ba7c33ed413ba583ebfab11
SHA256c22810c56eae356b96cbb9feb5a5cddc92362e989f7fd8e9a92258957caf4920
SHA51277696038212806bb644d034a8b7eb0868895e44f719c5cc334201efb2d6a371a70cb44ddeeacfef9727f1de04f8132edd7a30c8fa9eb05312788475e2e760db7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51da75b620890231a705c07ba27f54b27
SHA1c99de0ca8457d28559695c1d227c1acf08d8e34b
SHA25639941f45086723b041a35f5472db6247e471569dd73a1144bd3654ac2d89c19e
SHA512df8e549c8e91224dc0c74b035763e6fc7e57a4d1c0753f064e3778d7503372b9ebcfbf442e39755c92e55cb7373b4e8a375a3ca3a2da160f34e12ba5537bd3f2
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
C:\Users\Admin\AppData\Roaming\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\MicrosoftOfficeW2H9p1T70CVTWPBNWcCjKm9T65bZMmSbsdOjQkkMDMURYAjDxhu5sCEvgGujXa72®rtlkxs\fDdpuNcG.cmd
Filesize30KB
MD55e94ca7417e9100775e8fa6c0f6cfb6a
SHA143680c9ba06b820eace8b04f5f99df0cc0524a41
SHA256885ce089e82cee4e52a00f065268d33435a6f6a97a9c0a3e93f98e3e11cccfce
SHA512f3252662116f8a675ab9c36e0b3327a9ced68568b6ad9308f48317359ff74578ac3da70d4b80240bf92d466b5cb4304c225211ccd2db159dacc8f3939c221007
-
Filesize
10.9MB
MD5e78c0fd9d5c689d61c691fbfb517ed96
SHA11e1a04bf53cad5d618ac13cbeee6799d7421da4c
SHA2562ab006744dd9bd94662fb16dd769a1d91a0204afde1d38e8af4d852338f7eeb3
SHA512e3f5cd34e125b3283faab822da06b4c02e106ee56bbd6092d452b7bed5dbae89c710ac27a2b253c0dd4a03934a824445b27efd1261121fa82e70d0d1b4c20c63
-
Filesize
21KB
MD5cc09bb7fdefc5763ccb3cf7dae2d76cf
SHA18610d07f27a961066134d728c82eb8e5f22e7e8f
SHA256f8f00900edba2f64bf136dd0b6c83caf07c72f24f3d49c78b7ea24757fdbc6d0
SHA5120c518487aa5bad357bd19ad09c6cfe0b8bb522d74a916d36cf01f1bd194b59cd8457784b199dc953570ad7ef8ce67464d066bda51e31b055c9d4d5ca060d45c5
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
389KB
MD5377c83c6f0f37653ff911dc06e6c4274
SHA1ce1e53b5bf0a220346ab7379b93c4341c24fdd8a
SHA256c290a133b60220479acf0469781de847eb7e4a6b0c92de45ee9223be5e0ca769
SHA51247bed026ef3d3e1a88a8cec3e0e2904029ec6f2e0ed9bb8d8836564fa713e882cf9bbf0d1e1dc7887072804578edd6af21b047d579f85f27bba733a20125fdd8
-
Filesize
389KB
MD5377c83c6f0f37653ff911dc06e6c4274
SHA1ce1e53b5bf0a220346ab7379b93c4341c24fdd8a
SHA256c290a133b60220479acf0469781de847eb7e4a6b0c92de45ee9223be5e0ca769
SHA51247bed026ef3d3e1a88a8cec3e0e2904029ec6f2e0ed9bb8d8836564fa713e882cf9bbf0d1e1dc7887072804578edd6af21b047d579f85f27bba733a20125fdd8
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104