Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7DPS_DIAGNO....1.exe
windows7-x64
1DPS_DIAGNO....1.exe
windows10-2004-x64
3LVZLIB.DLL.4.dll
windows7-x64
3LVZLIB.DLL.4.dll
windows10-2004-x64
3bin/dp/install.msi
windows7-x64
7bin/dp/install.msi
windows10-2004-x64
7license/Sm...se.rtf
windows7-x64
4license/Sm...se.rtf
windows10-2004-x64
1setup.exe
windows7-x64
7setup.exe
windows10-2004-x64
7supportfil...09.dll
windows7-x64
1supportfil...09.dll
windows10-2004-x64
1merged.msi
windows7-x64
7merged.msi
windows10-2004-x64
7supportfil...ie.exe
windows7-x64
1supportfil...ie.exe
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 13:46
Behavioral task
behavioral1
Sample
DPS_DIAGNOSTIC_TOOL_V2.0.EXE.1.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
DPS_DIAGNOSTIC_TOOL_V2.0.EXE.1.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
LVZLIB.DLL.4.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
LVZLIB.DLL.4.dll
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
bin/dp/install.msi
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral6
Sample
bin/dp/install.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
license/SmartSoft License.rtf
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral8
Sample
license/SmartSoft License.rtf
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
setup.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral10
Sample
setup.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
supportfiles/customResource0009.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral12
Sample
supportfiles/customResource0009.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
merged.msi
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral14
Sample
merged.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
supportfiles/niPie.exe
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral16
Sample
supportfiles/niPie.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
merged.msi
-
Size
1.5MB
-
MD5
6f5431b6f2a3af553797c462e0340d86
-
SHA1
9c36e206367a8f04fadcb688844a89ae55167165
-
SHA256
28e40ad02b3ad69a4f2eae18d4cd31024ce9ec5432ac1f65c52e4d72305f144b
-
SHA512
000db4c9a317456c8ff74b9122c218abee98f2fbdd5993fada3ef547ef969db9ac5f971885ec874c4e567615d166fa2f48940ab82c8bba1ff3dfae22c171193c
-
SSDEEP
24576:/fOItzGSoXwC53tqGgeIiNVDso/NnbKGdNWSjHzjIeHENPjstVPXdqGgBuRN:/97oXZVVya3PLHENE1X/N
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2776 MsiExec.exe 2776 MsiExec.exe 2776 MsiExec.exe 2776 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2604 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2604 msiexec.exe Token: SeIncreaseQuotaPrivilege 2604 msiexec.exe Token: SeRestorePrivilege 2300 msiexec.exe Token: SeTakeOwnershipPrivilege 2300 msiexec.exe Token: SeSecurityPrivilege 2300 msiexec.exe Token: SeCreateTokenPrivilege 2604 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2604 msiexec.exe Token: SeLockMemoryPrivilege 2604 msiexec.exe Token: SeIncreaseQuotaPrivilege 2604 msiexec.exe Token: SeMachineAccountPrivilege 2604 msiexec.exe Token: SeTcbPrivilege 2604 msiexec.exe Token: SeSecurityPrivilege 2604 msiexec.exe Token: SeTakeOwnershipPrivilege 2604 msiexec.exe Token: SeLoadDriverPrivilege 2604 msiexec.exe Token: SeSystemProfilePrivilege 2604 msiexec.exe Token: SeSystemtimePrivilege 2604 msiexec.exe Token: SeProfSingleProcessPrivilege 2604 msiexec.exe Token: SeIncBasePriorityPrivilege 2604 msiexec.exe Token: SeCreatePagefilePrivilege 2604 msiexec.exe Token: SeCreatePermanentPrivilege 2604 msiexec.exe Token: SeBackupPrivilege 2604 msiexec.exe Token: SeRestorePrivilege 2604 msiexec.exe Token: SeShutdownPrivilege 2604 msiexec.exe Token: SeDebugPrivilege 2604 msiexec.exe Token: SeAuditPrivilege 2604 msiexec.exe Token: SeSystemEnvironmentPrivilege 2604 msiexec.exe Token: SeChangeNotifyPrivilege 2604 msiexec.exe Token: SeRemoteShutdownPrivilege 2604 msiexec.exe Token: SeUndockPrivilege 2604 msiexec.exe Token: SeSyncAgentPrivilege 2604 msiexec.exe Token: SeEnableDelegationPrivilege 2604 msiexec.exe Token: SeManageVolumePrivilege 2604 msiexec.exe Token: SeImpersonatePrivilege 2604 msiexec.exe Token: SeCreateGlobalPrivilege 2604 msiexec.exe Token: SeCreateTokenPrivilege 2604 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2604 msiexec.exe Token: SeLockMemoryPrivilege 2604 msiexec.exe Token: SeIncreaseQuotaPrivilege 2604 msiexec.exe Token: SeMachineAccountPrivilege 2604 msiexec.exe Token: SeTcbPrivilege 2604 msiexec.exe Token: SeSecurityPrivilege 2604 msiexec.exe Token: SeTakeOwnershipPrivilege 2604 msiexec.exe Token: SeLoadDriverPrivilege 2604 msiexec.exe Token: SeSystemProfilePrivilege 2604 msiexec.exe Token: SeSystemtimePrivilege 2604 msiexec.exe Token: SeProfSingleProcessPrivilege 2604 msiexec.exe Token: SeIncBasePriorityPrivilege 2604 msiexec.exe Token: SeCreatePagefilePrivilege 2604 msiexec.exe Token: SeCreatePermanentPrivilege 2604 msiexec.exe Token: SeBackupPrivilege 2604 msiexec.exe Token: SeRestorePrivilege 2604 msiexec.exe Token: SeShutdownPrivilege 2604 msiexec.exe Token: SeDebugPrivilege 2604 msiexec.exe Token: SeAuditPrivilege 2604 msiexec.exe Token: SeSystemEnvironmentPrivilege 2604 msiexec.exe Token: SeChangeNotifyPrivilege 2604 msiexec.exe Token: SeRemoteShutdownPrivilege 2604 msiexec.exe Token: SeUndockPrivilege 2604 msiexec.exe Token: SeSyncAgentPrivilege 2604 msiexec.exe Token: SeEnableDelegationPrivilege 2604 msiexec.exe Token: SeManageVolumePrivilege 2604 msiexec.exe Token: SeImpersonatePrivilege 2604 msiexec.exe Token: SeCreateGlobalPrivilege 2604 msiexec.exe Token: SeCreateTokenPrivilege 2604 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2604 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2776 2300 msiexec.exe 29 PID 2300 wrote to memory of 2776 2300 msiexec.exe 29 PID 2300 wrote to memory of 2776 2300 msiexec.exe 29 PID 2300 wrote to memory of 2776 2300 msiexec.exe 29 PID 2300 wrote to memory of 2776 2300 msiexec.exe 29 PID 2300 wrote to memory of 2776 2300 msiexec.exe 29 PID 2300 wrote to memory of 2776 2300 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\merged.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2604
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 89AA20C9438E03F5DDA8DCA063C151AD C2⤵
- Loads dropped DLL
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0