Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
Setup123.msi
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Setup123.msi
Resource
win10v2004-20230915-en
General
-
Target
Setup123.msi
-
Size
1.8MB
-
MD5
b23de5f6a3f2c269c8d828fc0dcaa6cf
-
SHA1
ebed5f4eaac2437bc47e2502c41082ac1c3e9460
-
SHA256
74e6ff5a3e188edecc8620e3a88cf7b0ba24424a42e2ab66ab7522849621e0e3
-
SHA512
dfc077484bad5e9a79c24e6e998d5b05277fb865078a7dcfe0a99e6cee5ab08fc2918462992cffa6f7b7c8e8897dc7d0df751178f4688282232071fd0d667027
-
SSDEEP
24576:3vAJxFNBGa6G6kth0lhSMXlN0Y53rNI1H4ZeJ5MiIf9oNYe9pUdtTWbQ:3o7ckEv53rGl4O5JIf9ofXyS
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
pid Process 1528 MsiExec.exe 1528 MsiExec.exe 1528 MsiExec.exe 1528 MsiExec.exe 1528 MsiExec.exe 1528 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4168 msiexec.exe Token: SeIncreaseQuotaPrivilege 4168 msiexec.exe Token: SeSecurityPrivilege 564 msiexec.exe Token: SeCreateTokenPrivilege 4168 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4168 msiexec.exe Token: SeLockMemoryPrivilege 4168 msiexec.exe Token: SeIncreaseQuotaPrivilege 4168 msiexec.exe Token: SeMachineAccountPrivilege 4168 msiexec.exe Token: SeTcbPrivilege 4168 msiexec.exe Token: SeSecurityPrivilege 4168 msiexec.exe Token: SeTakeOwnershipPrivilege 4168 msiexec.exe Token: SeLoadDriverPrivilege 4168 msiexec.exe Token: SeSystemProfilePrivilege 4168 msiexec.exe Token: SeSystemtimePrivilege 4168 msiexec.exe Token: SeProfSingleProcessPrivilege 4168 msiexec.exe Token: SeIncBasePriorityPrivilege 4168 msiexec.exe Token: SeCreatePagefilePrivilege 4168 msiexec.exe Token: SeCreatePermanentPrivilege 4168 msiexec.exe Token: SeBackupPrivilege 4168 msiexec.exe Token: SeRestorePrivilege 4168 msiexec.exe Token: SeShutdownPrivilege 4168 msiexec.exe Token: SeDebugPrivilege 4168 msiexec.exe Token: SeAuditPrivilege 4168 msiexec.exe Token: SeSystemEnvironmentPrivilege 4168 msiexec.exe Token: SeChangeNotifyPrivilege 4168 msiexec.exe Token: SeRemoteShutdownPrivilege 4168 msiexec.exe Token: SeUndockPrivilege 4168 msiexec.exe Token: SeSyncAgentPrivilege 4168 msiexec.exe Token: SeEnableDelegationPrivilege 4168 msiexec.exe Token: SeManageVolumePrivilege 4168 msiexec.exe Token: SeImpersonatePrivilege 4168 msiexec.exe Token: SeCreateGlobalPrivilege 4168 msiexec.exe Token: SeCreateTokenPrivilege 4168 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4168 msiexec.exe Token: SeLockMemoryPrivilege 4168 msiexec.exe Token: SeIncreaseQuotaPrivilege 4168 msiexec.exe Token: SeMachineAccountPrivilege 4168 msiexec.exe Token: SeTcbPrivilege 4168 msiexec.exe Token: SeSecurityPrivilege 4168 msiexec.exe Token: SeTakeOwnershipPrivilege 4168 msiexec.exe Token: SeLoadDriverPrivilege 4168 msiexec.exe Token: SeSystemProfilePrivilege 4168 msiexec.exe Token: SeSystemtimePrivilege 4168 msiexec.exe Token: SeProfSingleProcessPrivilege 4168 msiexec.exe Token: SeIncBasePriorityPrivilege 4168 msiexec.exe Token: SeCreatePagefilePrivilege 4168 msiexec.exe Token: SeCreatePermanentPrivilege 4168 msiexec.exe Token: SeBackupPrivilege 4168 msiexec.exe Token: SeRestorePrivilege 4168 msiexec.exe Token: SeShutdownPrivilege 4168 msiexec.exe Token: SeDebugPrivilege 4168 msiexec.exe Token: SeAuditPrivilege 4168 msiexec.exe Token: SeSystemEnvironmentPrivilege 4168 msiexec.exe Token: SeChangeNotifyPrivilege 4168 msiexec.exe Token: SeRemoteShutdownPrivilege 4168 msiexec.exe Token: SeUndockPrivilege 4168 msiexec.exe Token: SeSyncAgentPrivilege 4168 msiexec.exe Token: SeEnableDelegationPrivilege 4168 msiexec.exe Token: SeManageVolumePrivilege 4168 msiexec.exe Token: SeImpersonatePrivilege 4168 msiexec.exe Token: SeCreateGlobalPrivilege 4168 msiexec.exe Token: SeCreateTokenPrivilege 4168 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4168 msiexec.exe Token: SeLockMemoryPrivilege 4168 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4168 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 564 wrote to memory of 1528 564 msiexec.exe 84 PID 564 wrote to memory of 1528 564 msiexec.exe 84 PID 564 wrote to memory of 1528 564 msiexec.exe 84
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup123.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4168
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F7090CF83548728F689283AAEB3C6B82 C2⤵
- Loads dropped DLL
PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a