Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-es -
resource tags
arch:x64arch:x86image:win10v2004-20231023-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
03/11/2023, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
F91ANFac_turaMTHEIARMRSqoxgxRefXNVZZQGJEUukoan.msi
Resource
win10v2004-20231023-es
Behavioral task
behavioral2
Sample
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~RMUUDIVFUH.dll
Resource
win10v2004-20231020-es
General
-
Target
F91ANFac_turaMTHEIARMRSqoxgxRefXNVZZQGJEUukoan.msi
-
Size
8.6MB
-
MD5
899f664925a69b957335b4bb00ff9142
-
SHA1
1dd30f02ff61904bcfea931f21f8b008d21da670
-
SHA256
c3c9bfb8cb54c481641c9be79295e19912c78b5025a451df9e34b4fbd0e8e0f4
-
SHA512
4b3bf0fddec240bcbff0c3663f4fc3fcac352317613cb224a0f9a0bac0357c1c4f875b45352eb522ea9d8cea4d6fc720b009e3760a94fe722d229d6563fd1000
-
SSDEEP
49152:6cfofeSXa3HBb8IFnfGXK+ihN9SWF3i7q7tWp2yosVSYtCTpIec6zyxww1nx3VWC:NSX8ppvDKy547IA0
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 2596 MsiExec.exe 2596 MsiExec.exe 2596 MsiExec.exe 2596 MsiExec.exe 1200 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 1200 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI929B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9B2A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{GGH8T1MF-K8LQ-RYRN-HEMH-POF00MTX4HUC} msiexec.exe File opened for modification C:\Windows\Installer\MSI9D2F.tmp msiexec.exe File created C:\Windows\Installer\e5791c0.msi msiexec.exe File opened for modification C:\Windows\Installer\e5791c0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI99FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A8C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9CE0.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1140 msiexec.exe 1140 msiexec.exe 1200 MsiExec.exe 1200 MsiExec.exe 1200 MsiExec.exe 1200 MsiExec.exe 1200 MsiExec.exe 1200 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 868 msiexec.exe Token: SeIncreaseQuotaPrivilege 868 msiexec.exe Token: SeSecurityPrivilege 1140 msiexec.exe Token: SeCreateTokenPrivilege 868 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 868 msiexec.exe Token: SeLockMemoryPrivilege 868 msiexec.exe Token: SeIncreaseQuotaPrivilege 868 msiexec.exe Token: SeMachineAccountPrivilege 868 msiexec.exe Token: SeTcbPrivilege 868 msiexec.exe Token: SeSecurityPrivilege 868 msiexec.exe Token: SeTakeOwnershipPrivilege 868 msiexec.exe Token: SeLoadDriverPrivilege 868 msiexec.exe Token: SeSystemProfilePrivilege 868 msiexec.exe Token: SeSystemtimePrivilege 868 msiexec.exe Token: SeProfSingleProcessPrivilege 868 msiexec.exe Token: SeIncBasePriorityPrivilege 868 msiexec.exe Token: SeCreatePagefilePrivilege 868 msiexec.exe Token: SeCreatePermanentPrivilege 868 msiexec.exe Token: SeBackupPrivilege 868 msiexec.exe Token: SeRestorePrivilege 868 msiexec.exe Token: SeShutdownPrivilege 868 msiexec.exe Token: SeDebugPrivilege 868 msiexec.exe Token: SeAuditPrivilege 868 msiexec.exe Token: SeSystemEnvironmentPrivilege 868 msiexec.exe Token: SeChangeNotifyPrivilege 868 msiexec.exe Token: SeRemoteShutdownPrivilege 868 msiexec.exe Token: SeUndockPrivilege 868 msiexec.exe Token: SeSyncAgentPrivilege 868 msiexec.exe Token: SeEnableDelegationPrivilege 868 msiexec.exe Token: SeManageVolumePrivilege 868 msiexec.exe Token: SeImpersonatePrivilege 868 msiexec.exe Token: SeCreateGlobalPrivilege 868 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe Token: SeRestorePrivilege 1140 msiexec.exe Token: SeTakeOwnershipPrivilege 1140 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 868 msiexec.exe 868 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1140 wrote to memory of 2596 1140 msiexec.exe 90 PID 1140 wrote to memory of 2596 1140 msiexec.exe 90 PID 1140 wrote to memory of 2596 1140 msiexec.exe 90 PID 1140 wrote to memory of 1200 1140 msiexec.exe 91 PID 1140 wrote to memory of 1200 1140 msiexec.exe 91
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F91ANFac_turaMTHEIARMRSqoxgxRefXNVZZQGJEUukoan.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:868
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D5113933B22DCED1F7CCF0B88274F8502⤵
- Loads dropped DLL
PID:2596
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7A8463D402AE70AE7CD92E0F26B4C5782⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588B
MD5ffb97f28511cfd743541d55a785bfaa1
SHA130712cc9b5bbf9f9071767958b3723433464433e
SHA25622adf25b05ede77955c6facc6820780995d3881c218825305a7604deb7198ca4
SHA5126cab9e17bb329a90a854deed57b70865e32fe1b694ddebda21e0e458d4d4e7c639e8afa407abc160bdb4d548b14ea8f58895e1f7b2ce3cc373cdbf9b599739b0
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
7.5MB
MD5e63b31964f925614e621ca1095463581
SHA1efaec2440c5ff244e6eb9ff268608e7d1c342d59
SHA256e92d30d3265f414ce0a6768b7ce1a9b853bb00be0f9d8f107bbf770809625a92
SHA51288c23d705019cc6c37c3bd51e60408be7e09f2222567e4eeb65e1587190eaa5643db3873aa381a8b3e10d37975504dba2300400341d694bde813d4a340023d3d
-
Filesize
7.5MB
MD5e63b31964f925614e621ca1095463581
SHA1efaec2440c5ff244e6eb9ff268608e7d1c342d59
SHA256e92d30d3265f414ce0a6768b7ce1a9b853bb00be0f9d8f107bbf770809625a92
SHA51288c23d705019cc6c37c3bd51e60408be7e09f2222567e4eeb65e1587190eaa5643db3873aa381a8b3e10d37975504dba2300400341d694bde813d4a340023d3d