Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3SETUP.bat
windows7-x64
7SETUP.bat
windows10-2004-x64
6UPGRADE.bat
windows7-x64
1UPGRADE.bat
windows10-2004-x64
1postgresql...nt.msi
windows7-x64
7postgresql...nt.msi
windows10-2004-x64
7postgresql-8.3.msi
windows7-x64
7postgresql-8.3.msi
windows10-2004-x64
7vcredist_x86.exe
windows7-x64
6vcredist_x86.exe
windows10-2004-x64
6Analysis
-
max time kernel
124s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
SETUP.bat
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SETUP.bat
Resource
win10v2004-20231020-en
Behavioral task
behavioral3
Sample
UPGRADE.bat
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
UPGRADE.bat
Resource
win10v2004-20231023-en
Behavioral task
behavioral5
Sample
postgresql-8.3-int.msi
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
postgresql-8.3-int.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
postgresql-8.3.msi
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
postgresql-8.3.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
vcredist_x86.exe
Resource
win7-20231025-en
Behavioral task
behavioral10
Sample
vcredist_x86.exe
Resource
win10v2004-20231025-en
General
-
Target
postgresql-8.3-int.msi
-
Size
23.5MB
-
MD5
0fb9d090498b5e1c59d6324641250ee5
-
SHA1
b79e82b56a0f09d512ad5134a4ec453dad2a79d6
-
SHA256
83b2f31b874031dae926395101e54154223a5a710e41ad818b93070758a665c5
-
SHA512
2beeab78155ba68b7b28abc4cd9a392005a492663db5dcd57e5df7ec002aeef794c31198656947a7963fabfb5c2c87e06f494a3abafe8f665331e3748c24795b
-
SSDEEP
393216:YDHDpG/agxuUQdmGScopKoZXsHWD5Tg/aHKrd51NevX/BNCasVdTT7vqQJRi8/wj:uHofutdLopsHMW/wK/QXpEBdTTztJRi/
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1548 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3964 msiexec.exe Token: SeIncreaseQuotaPrivilege 3964 msiexec.exe Token: SeSecurityPrivilege 4220 msiexec.exe Token: SeCreateTokenPrivilege 3964 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3964 msiexec.exe Token: SeLockMemoryPrivilege 3964 msiexec.exe Token: SeIncreaseQuotaPrivilege 3964 msiexec.exe Token: SeMachineAccountPrivilege 3964 msiexec.exe Token: SeTcbPrivilege 3964 msiexec.exe Token: SeSecurityPrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeLoadDriverPrivilege 3964 msiexec.exe Token: SeSystemProfilePrivilege 3964 msiexec.exe Token: SeSystemtimePrivilege 3964 msiexec.exe Token: SeProfSingleProcessPrivilege 3964 msiexec.exe Token: SeIncBasePriorityPrivilege 3964 msiexec.exe Token: SeCreatePagefilePrivilege 3964 msiexec.exe Token: SeCreatePermanentPrivilege 3964 msiexec.exe Token: SeBackupPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeShutdownPrivilege 3964 msiexec.exe Token: SeDebugPrivilege 3964 msiexec.exe Token: SeAuditPrivilege 3964 msiexec.exe Token: SeSystemEnvironmentPrivilege 3964 msiexec.exe Token: SeChangeNotifyPrivilege 3964 msiexec.exe Token: SeRemoteShutdownPrivilege 3964 msiexec.exe Token: SeUndockPrivilege 3964 msiexec.exe Token: SeSyncAgentPrivilege 3964 msiexec.exe Token: SeEnableDelegationPrivilege 3964 msiexec.exe Token: SeManageVolumePrivilege 3964 msiexec.exe Token: SeImpersonatePrivilege 3964 msiexec.exe Token: SeCreateGlobalPrivilege 3964 msiexec.exe Token: SeCreateTokenPrivilege 3964 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3964 msiexec.exe Token: SeLockMemoryPrivilege 3964 msiexec.exe Token: SeIncreaseQuotaPrivilege 3964 msiexec.exe Token: SeMachineAccountPrivilege 3964 msiexec.exe Token: SeTcbPrivilege 3964 msiexec.exe Token: SeSecurityPrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeLoadDriverPrivilege 3964 msiexec.exe Token: SeSystemProfilePrivilege 3964 msiexec.exe Token: SeSystemtimePrivilege 3964 msiexec.exe Token: SeProfSingleProcessPrivilege 3964 msiexec.exe Token: SeIncBasePriorityPrivilege 3964 msiexec.exe Token: SeCreatePagefilePrivilege 3964 msiexec.exe Token: SeCreatePermanentPrivilege 3964 msiexec.exe Token: SeBackupPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeShutdownPrivilege 3964 msiexec.exe Token: SeDebugPrivilege 3964 msiexec.exe Token: SeAuditPrivilege 3964 msiexec.exe Token: SeSystemEnvironmentPrivilege 3964 msiexec.exe Token: SeChangeNotifyPrivilege 3964 msiexec.exe Token: SeRemoteShutdownPrivilege 3964 msiexec.exe Token: SeUndockPrivilege 3964 msiexec.exe Token: SeSyncAgentPrivilege 3964 msiexec.exe Token: SeEnableDelegationPrivilege 3964 msiexec.exe Token: SeManageVolumePrivilege 3964 msiexec.exe Token: SeImpersonatePrivilege 3964 msiexec.exe Token: SeCreateGlobalPrivilege 3964 msiexec.exe Token: SeCreateTokenPrivilege 3964 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3964 msiexec.exe Token: SeLockMemoryPrivilege 3964 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3964 msiexec.exe 3964 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4220 wrote to memory of 1548 4220 msiexec.exe 95 PID 4220 wrote to memory of 1548 4220 msiexec.exe 95 PID 4220 wrote to memory of 1548 4220 msiexec.exe 95
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\postgresql-8.3-int.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3964
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AC1AEAFEC436F941885704B6370E853E C2⤵
- Loads dropped DLL
PID:1548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD591eb92be8cab3305349a3801d09cfe3c
SHA171aab6d241ff75d768cef0df0ddc252584720483
SHA2568e165da4e33e18be835b600157a6fa028b128d99c6058710efedc556fc5f85ec
SHA5120bae3583f83c38e688bc01cfa6c903605d218bd4390847a5ee88776fc4f94f5bab2b3fdff0ce0dac265ce0bd0a11edebe61b6b70100bcfa0f876f98cd3238e1e
-
Filesize
344KB
MD591eb92be8cab3305349a3801d09cfe3c
SHA171aab6d241ff75d768cef0df0ddc252584720483
SHA2568e165da4e33e18be835b600157a6fa028b128d99c6058710efedc556fc5f85ec
SHA5120bae3583f83c38e688bc01cfa6c903605d218bd4390847a5ee88776fc4f94f5bab2b3fdff0ce0dac265ce0bd0a11edebe61b6b70100bcfa0f876f98cd3238e1e