Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7DPS_DIAGNO....1.exe
windows7-x64
1DPS_DIAGNO....1.exe
windows10-2004-x64
3LVZLIB.DLL.4.dll
windows7-x64
3LVZLIB.DLL.4.dll
windows10-2004-x64
3bin/dp/install.msi
windows7-x64
7bin/dp/install.msi
windows10-2004-x64
7license/Sm...se.rtf
windows7-x64
4license/Sm...se.rtf
windows10-2004-x64
1setup.exe
windows7-x64
7setup.exe
windows10-2004-x64
7supportfil...09.dll
windows7-x64
1supportfil...09.dll
windows10-2004-x64
1merged.msi
windows7-x64
7merged.msi
windows10-2004-x64
7supportfil...ie.exe
windows7-x64
1supportfil...ie.exe
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 13:46
Behavioral task
behavioral1
Sample
DPS_DIAGNOSTIC_TOOL_V2.0.EXE.1.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
DPS_DIAGNOSTIC_TOOL_V2.0.EXE.1.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
LVZLIB.DLL.4.dll
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
LVZLIB.DLL.4.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral5
Sample
bin/dp/install.msi
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
bin/dp/install.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
license/SmartSoft License.rtf
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
license/SmartSoft License.rtf
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
setup.exe
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
setup.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral11
Sample
supportfiles/customResource0009.dll
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
supportfiles/customResource0009.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral13
Sample
merged.msi
Resource
win7-20231025-en
Behavioral task
behavioral14
Sample
merged.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral15
Sample
supportfiles/niPie.exe
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
supportfiles/niPie.exe
Resource
win10v2004-20231023-en
General
-
Target
bin/dp/install.msi
-
Size
1.4MB
-
MD5
bd4197fcc24ef42031fdd26c749192c5
-
SHA1
f644b383509892e23641c2336e698205e3b1d692
-
SHA256
8726518f5783e2d2e02a7d06f2aa49e7e6a3771316d46f95ec0fa7e24f5c2a60
-
SHA512
06457838ff6055a56d28757884e2929b9ce9f8d88af6a84af3d41a1222f9e2e7f32c427b5944968573e7ff44527453e2853eb6176aacbbc23fc97a8ace86f600
-
SSDEEP
24576:MvJbwGLXIMzGfo2wCM3fqGge5Po/XKs+WdNESjHzVIaHErPjsgQYXrqGgeR+z:MvyYKo24etBpTHErdhX7+z
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2824 MsiExec.exe 2824 MsiExec.exe 2824 MsiExec.exe 2824 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1888 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1888 msiexec.exe Token: SeIncreaseQuotaPrivilege 1888 msiexec.exe Token: SeRestorePrivilege 1732 msiexec.exe Token: SeTakeOwnershipPrivilege 1732 msiexec.exe Token: SeSecurityPrivilege 1732 msiexec.exe Token: SeCreateTokenPrivilege 1888 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1888 msiexec.exe Token: SeLockMemoryPrivilege 1888 msiexec.exe Token: SeIncreaseQuotaPrivilege 1888 msiexec.exe Token: SeMachineAccountPrivilege 1888 msiexec.exe Token: SeTcbPrivilege 1888 msiexec.exe Token: SeSecurityPrivilege 1888 msiexec.exe Token: SeTakeOwnershipPrivilege 1888 msiexec.exe Token: SeLoadDriverPrivilege 1888 msiexec.exe Token: SeSystemProfilePrivilege 1888 msiexec.exe Token: SeSystemtimePrivilege 1888 msiexec.exe Token: SeProfSingleProcessPrivilege 1888 msiexec.exe Token: SeIncBasePriorityPrivilege 1888 msiexec.exe Token: SeCreatePagefilePrivilege 1888 msiexec.exe Token: SeCreatePermanentPrivilege 1888 msiexec.exe Token: SeBackupPrivilege 1888 msiexec.exe Token: SeRestorePrivilege 1888 msiexec.exe Token: SeShutdownPrivilege 1888 msiexec.exe Token: SeDebugPrivilege 1888 msiexec.exe Token: SeAuditPrivilege 1888 msiexec.exe Token: SeSystemEnvironmentPrivilege 1888 msiexec.exe Token: SeChangeNotifyPrivilege 1888 msiexec.exe Token: SeRemoteShutdownPrivilege 1888 msiexec.exe Token: SeUndockPrivilege 1888 msiexec.exe Token: SeSyncAgentPrivilege 1888 msiexec.exe Token: SeEnableDelegationPrivilege 1888 msiexec.exe Token: SeManageVolumePrivilege 1888 msiexec.exe Token: SeImpersonatePrivilege 1888 msiexec.exe Token: SeCreateGlobalPrivilege 1888 msiexec.exe Token: SeCreateTokenPrivilege 1888 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1888 msiexec.exe Token: SeLockMemoryPrivilege 1888 msiexec.exe Token: SeIncreaseQuotaPrivilege 1888 msiexec.exe Token: SeMachineAccountPrivilege 1888 msiexec.exe Token: SeTcbPrivilege 1888 msiexec.exe Token: SeSecurityPrivilege 1888 msiexec.exe Token: SeTakeOwnershipPrivilege 1888 msiexec.exe Token: SeLoadDriverPrivilege 1888 msiexec.exe Token: SeSystemProfilePrivilege 1888 msiexec.exe Token: SeSystemtimePrivilege 1888 msiexec.exe Token: SeProfSingleProcessPrivilege 1888 msiexec.exe Token: SeIncBasePriorityPrivilege 1888 msiexec.exe Token: SeCreatePagefilePrivilege 1888 msiexec.exe Token: SeCreatePermanentPrivilege 1888 msiexec.exe Token: SeBackupPrivilege 1888 msiexec.exe Token: SeRestorePrivilege 1888 msiexec.exe Token: SeShutdownPrivilege 1888 msiexec.exe Token: SeDebugPrivilege 1888 msiexec.exe Token: SeAuditPrivilege 1888 msiexec.exe Token: SeSystemEnvironmentPrivilege 1888 msiexec.exe Token: SeChangeNotifyPrivilege 1888 msiexec.exe Token: SeRemoteShutdownPrivilege 1888 msiexec.exe Token: SeUndockPrivilege 1888 msiexec.exe Token: SeSyncAgentPrivilege 1888 msiexec.exe Token: SeEnableDelegationPrivilege 1888 msiexec.exe Token: SeManageVolumePrivilege 1888 msiexec.exe Token: SeImpersonatePrivilege 1888 msiexec.exe Token: SeCreateGlobalPrivilege 1888 msiexec.exe Token: SeCreateTokenPrivilege 1888 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1888 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2824 1732 msiexec.exe 28 PID 1732 wrote to memory of 2824 1732 msiexec.exe 28 PID 1732 wrote to memory of 2824 1732 msiexec.exe 28 PID 1732 wrote to memory of 2824 1732 msiexec.exe 28 PID 1732 wrote to memory of 2824 1732 msiexec.exe 28 PID 1732 wrote to memory of 2824 1732 msiexec.exe 28 PID 1732 wrote to memory of 2824 1732 msiexec.exe 28
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bin\dp\install.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1888
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9629C67127DCC4B186F30FD79F760ED9 C2⤵
- Loads dropped DLL
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0