Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7DPS_DIAGNO....1.exe
windows7-x64
1DPS_DIAGNO....1.exe
windows10-2004-x64
3LVZLIB.DLL.4.dll
windows7-x64
3LVZLIB.DLL.4.dll
windows10-2004-x64
3bin/dp/install.msi
windows7-x64
7bin/dp/install.msi
windows10-2004-x64
7license/Sm...se.rtf
windows7-x64
4license/Sm...se.rtf
windows10-2004-x64
1setup.exe
windows7-x64
7setup.exe
windows10-2004-x64
7supportfil...09.dll
windows7-x64
1supportfil...09.dll
windows10-2004-x64
1merged.msi
windows7-x64
7merged.msi
windows10-2004-x64
7supportfil...ie.exe
windows7-x64
1supportfil...ie.exe
windows10-2004-x64
1Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 13:46
Behavioral task
behavioral1
Sample
DPS_DIAGNOSTIC_TOOL_V2.0.EXE.1.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
DPS_DIAGNOSTIC_TOOL_V2.0.EXE.1.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
LVZLIB.DLL.4.dll
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
LVZLIB.DLL.4.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral5
Sample
bin/dp/install.msi
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
bin/dp/install.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
license/SmartSoft License.rtf
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
license/SmartSoft License.rtf
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
setup.exe
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
setup.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral11
Sample
supportfiles/customResource0009.dll
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
supportfiles/customResource0009.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral13
Sample
merged.msi
Resource
win7-20231025-en
Behavioral task
behavioral14
Sample
merged.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral15
Sample
supportfiles/niPie.exe
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
supportfiles/niPie.exe
Resource
win10v2004-20231023-en
General
-
Target
setup.exe
-
Size
1.4MB
-
MD5
8ab5a3a76d5d1095c59d7539f234709a
-
SHA1
44d7263669eed238b590aa5a68c1d265fa11292d
-
SHA256
54ed84eea949b469dc541196b07ff435661225174755e56e965dc022eaebfd2a
-
SHA512
ab067f6ad2cb5549ccf4e5c2c9b91ce2a3403c83ba25b20f2d5495c2cfb0af83e3af16f02b312288eb1f4eb1f620c2c82fa242cfe64eea9ad50c525ef18ab6ef
-
SSDEEP
24576:pdWJmFEvqMO6Mf+Hv+zuQdqdv7SBpBBkqJw8rD5o3Bx5Vw+71xHAsqo2S/T:ZlMmWNKiSBpT/JtcBx5VX4sH2S/
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2336 MsiExec.exe 2336 MsiExec.exe -
resource yara_rule behavioral9/memory/1648-0-0x0000000000400000-0x000000000092F000-memory.dmp upx behavioral9/memory/1648-29-0x0000000000400000-0x000000000092F000-memory.dmp upx behavioral9/memory/1648-33-0x0000000000400000-0x000000000092F000-memory.dmp upx behavioral9/memory/1648-34-0x0000000000400000-0x000000000092F000-memory.dmp upx -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: setup.exe File opened (read-only) \??\M: setup.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: setup.exe File opened (read-only) \??\Z: setup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: setup.exe File opened (read-only) \??\I: setup.exe File opened (read-only) \??\O: setup.exe File opened (read-only) \??\T: setup.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: setup.exe File opened (read-only) \??\S: setup.exe File opened (read-only) \??\V: setup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: setup.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: setup.exe File opened (read-only) \??\L: setup.exe File opened (read-only) \??\R: setup.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: setup.exe File opened (read-only) \??\U: setup.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: setup.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: setup.exe File opened (read-only) \??\K: setup.exe File opened (read-only) \??\Q: setup.exe File opened (read-only) \??\W: setup.exe File opened (read-only) \??\P: setup.exe File opened (read-only) \??\P: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1648 setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 2816 msiexec.exe Token: SeCreateTokenPrivilege 1648 setup.exe Token: SeAssignPrimaryTokenPrivilege 1648 setup.exe Token: SeLockMemoryPrivilege 1648 setup.exe Token: SeIncreaseQuotaPrivilege 1648 setup.exe Token: SeMachineAccountPrivilege 1648 setup.exe Token: SeTcbPrivilege 1648 setup.exe Token: SeSecurityPrivilege 1648 setup.exe Token: SeTakeOwnershipPrivilege 1648 setup.exe Token: SeLoadDriverPrivilege 1648 setup.exe Token: SeSystemProfilePrivilege 1648 setup.exe Token: SeSystemtimePrivilege 1648 setup.exe Token: SeProfSingleProcessPrivilege 1648 setup.exe Token: SeIncBasePriorityPrivilege 1648 setup.exe Token: SeCreatePagefilePrivilege 1648 setup.exe Token: SeCreatePermanentPrivilege 1648 setup.exe Token: SeBackupPrivilege 1648 setup.exe Token: SeRestorePrivilege 1648 setup.exe Token: SeShutdownPrivilege 1648 setup.exe Token: SeDebugPrivilege 1648 setup.exe Token: SeAuditPrivilege 1648 setup.exe Token: SeSystemEnvironmentPrivilege 1648 setup.exe Token: SeChangeNotifyPrivilege 1648 setup.exe Token: SeRemoteShutdownPrivilege 1648 setup.exe Token: SeUndockPrivilege 1648 setup.exe Token: SeSyncAgentPrivilege 1648 setup.exe Token: SeEnableDelegationPrivilege 1648 setup.exe Token: SeManageVolumePrivilege 1648 setup.exe Token: SeImpersonatePrivilege 1648 setup.exe Token: SeCreateGlobalPrivilege 1648 setup.exe Token: SeCreateTokenPrivilege 1648 setup.exe Token: SeAssignPrimaryTokenPrivilege 1648 setup.exe Token: SeLockMemoryPrivilege 1648 setup.exe Token: SeIncreaseQuotaPrivilege 1648 setup.exe Token: SeMachineAccountPrivilege 1648 setup.exe Token: SeTcbPrivilege 1648 setup.exe Token: SeSecurityPrivilege 1648 setup.exe Token: SeTakeOwnershipPrivilege 1648 setup.exe Token: SeLoadDriverPrivilege 1648 setup.exe Token: SeSystemProfilePrivilege 1648 setup.exe Token: SeSystemtimePrivilege 1648 setup.exe Token: SeProfSingleProcessPrivilege 1648 setup.exe Token: SeIncBasePriorityPrivilege 1648 setup.exe Token: SeCreatePagefilePrivilege 1648 setup.exe Token: SeCreatePermanentPrivilege 1648 setup.exe Token: SeBackupPrivilege 1648 setup.exe Token: SeRestorePrivilege 1648 setup.exe Token: SeShutdownPrivilege 1648 setup.exe Token: SeDebugPrivilege 1648 setup.exe Token: SeAuditPrivilege 1648 setup.exe Token: SeSystemEnvironmentPrivilege 1648 setup.exe Token: SeChangeNotifyPrivilege 1648 setup.exe Token: SeRemoteShutdownPrivilege 1648 setup.exe Token: SeUndockPrivilege 1648 setup.exe Token: SeSyncAgentPrivilege 1648 setup.exe Token: SeEnableDelegationPrivilege 1648 setup.exe Token: SeManageVolumePrivilege 1648 setup.exe Token: SeImpersonatePrivilege 1648 setup.exe Token: SeCreateGlobalPrivilege 1648 setup.exe Token: SeCreateTokenPrivilege 1648 setup.exe Token: SeAssignPrimaryTokenPrivilege 1648 setup.exe Token: SeLockMemoryPrivilege 1648 setup.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1648 setup.exe 1648 setup.exe 1648 setup.exe 1648 setup.exe 1648 setup.exe 1648 setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2336 2816 msiexec.exe 29 PID 2816 wrote to memory of 2336 2816 msiexec.exe 29 PID 2816 wrote to memory of 2336 2816 msiexec.exe 29 PID 2816 wrote to memory of 2336 2816 msiexec.exe 29 PID 2816 wrote to memory of 2336 2816 msiexec.exe 29 PID 2816 wrote to memory of 2336 2816 msiexec.exe 29 PID 2816 wrote to memory of 2336 2816 msiexec.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85E1C1C05FD0A0A1B2B2DFA85324A256 C2⤵
- Loads dropped DLL
PID:2336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
674B
MD535afc466c5aca665f3f86d2e35198525
SHA103ec2b7384891c6a33d22db17231eebe45254a3f
SHA256c9f9674c4e721c6655ca15d21fc9d7cbb8ffb97453ff8976f748ee250bb96ea3
SHA512318ac8fc1390eecb2d6e813595c49afe2049ed0ded7c40192f25fe578d4b5ef8d22dac150b5fa674bc40535791f709dd4059106ce133624472d0978f3ed051f2
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
1.5MB
MD50d2d1399c5f3dd54a63e1e60117810ec
SHA1ee73a9d2fc90be0ca9ebf8b0c9f060bf479e8865
SHA256735b79128dbd8457985cc402da0f793bbdac625e88f07d0dff7601cfcb376d20
SHA512588b2516121ddf9f6d2165d2afaad47758ea21fdb8a79d6405b34eda8f266bf26de2d8853670f3cc941cd966945260ae4efdaec9b9ca6b0a525bbb3d8fa44625
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0
-
Filesize
590KB
MD571fc455bb665aeb834f282dff9301b16
SHA17296ec0e4a7e96d43e3dfeae0558b2ddd68948f1
SHA256b147f71b1e91d0cbe090e838557b393a6c1f83d1d6e5cb6d4f4665f2a46e3415
SHA512ef8b67d3b0e09b8c246035c1dded6c9acfb35ce9cd25a6561d6752f53b93d6e6b2a859ca509dd923b07d76b9d200a3e588962e61884f119c8897ed05e02da0c0