Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3SETUP.bat
windows7-x64
7SETUP.bat
windows10-2004-x64
6UPGRADE.bat
windows7-x64
1UPGRADE.bat
windows10-2004-x64
1postgresql...nt.msi
windows7-x64
7postgresql...nt.msi
windows10-2004-x64
7postgresql-8.3.msi
windows7-x64
7postgresql-8.3.msi
windows10-2004-x64
7vcredist_x86.exe
windows7-x64
6vcredist_x86.exe
windows10-2004-x64
6Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
SETUP.bat
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SETUP.bat
Resource
win10v2004-20231020-en
Behavioral task
behavioral3
Sample
UPGRADE.bat
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
UPGRADE.bat
Resource
win10v2004-20231023-en
Behavioral task
behavioral5
Sample
postgresql-8.3-int.msi
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
postgresql-8.3-int.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
postgresql-8.3.msi
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
postgresql-8.3.msi
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
vcredist_x86.exe
Resource
win7-20231025-en
Behavioral task
behavioral10
Sample
vcredist_x86.exe
Resource
win10v2004-20231025-en
General
-
Target
postgresql-8.3.msi
-
Size
157KB
-
MD5
8417335b79c556649082d90f1afec9a2
-
SHA1
be1c9ef6b2a78857b1dcc8651027dcee3d311b07
-
SHA256
5aa3b4baf794d03b2af924e846b27c6580a9675aebf3e7f1d2c74b75f0f915a0
-
SHA512
a3e9c778adee3936c27539cfe72a8b22d924e04a1f263eeb3a969d454f14661bbf4331b5bbc65758ee61523cb275f56a63755473df2b0c7f637ce6226f66adfe
-
SSDEEP
1536:u4LjLwVJrjCQJZbrOtosa/lTREfOcqDp:pLoI6POtda/lTR
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2968 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2788 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2788 msiexec.exe Token: SeIncreaseQuotaPrivilege 2788 msiexec.exe Token: SeRestorePrivilege 2928 msiexec.exe Token: SeTakeOwnershipPrivilege 2928 msiexec.exe Token: SeSecurityPrivilege 2928 msiexec.exe Token: SeCreateTokenPrivilege 2788 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2788 msiexec.exe Token: SeLockMemoryPrivilege 2788 msiexec.exe Token: SeIncreaseQuotaPrivilege 2788 msiexec.exe Token: SeMachineAccountPrivilege 2788 msiexec.exe Token: SeTcbPrivilege 2788 msiexec.exe Token: SeSecurityPrivilege 2788 msiexec.exe Token: SeTakeOwnershipPrivilege 2788 msiexec.exe Token: SeLoadDriverPrivilege 2788 msiexec.exe Token: SeSystemProfilePrivilege 2788 msiexec.exe Token: SeSystemtimePrivilege 2788 msiexec.exe Token: SeProfSingleProcessPrivilege 2788 msiexec.exe Token: SeIncBasePriorityPrivilege 2788 msiexec.exe Token: SeCreatePagefilePrivilege 2788 msiexec.exe Token: SeCreatePermanentPrivilege 2788 msiexec.exe Token: SeBackupPrivilege 2788 msiexec.exe Token: SeRestorePrivilege 2788 msiexec.exe Token: SeShutdownPrivilege 2788 msiexec.exe Token: SeDebugPrivilege 2788 msiexec.exe Token: SeAuditPrivilege 2788 msiexec.exe Token: SeSystemEnvironmentPrivilege 2788 msiexec.exe Token: SeChangeNotifyPrivilege 2788 msiexec.exe Token: SeRemoteShutdownPrivilege 2788 msiexec.exe Token: SeUndockPrivilege 2788 msiexec.exe Token: SeSyncAgentPrivilege 2788 msiexec.exe Token: SeEnableDelegationPrivilege 2788 msiexec.exe Token: SeManageVolumePrivilege 2788 msiexec.exe Token: SeImpersonatePrivilege 2788 msiexec.exe Token: SeCreateGlobalPrivilege 2788 msiexec.exe Token: SeCreateTokenPrivilege 2788 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2788 msiexec.exe Token: SeLockMemoryPrivilege 2788 msiexec.exe Token: SeIncreaseQuotaPrivilege 2788 msiexec.exe Token: SeMachineAccountPrivilege 2788 msiexec.exe Token: SeTcbPrivilege 2788 msiexec.exe Token: SeSecurityPrivilege 2788 msiexec.exe Token: SeTakeOwnershipPrivilege 2788 msiexec.exe Token: SeLoadDriverPrivilege 2788 msiexec.exe Token: SeSystemProfilePrivilege 2788 msiexec.exe Token: SeSystemtimePrivilege 2788 msiexec.exe Token: SeProfSingleProcessPrivilege 2788 msiexec.exe Token: SeIncBasePriorityPrivilege 2788 msiexec.exe Token: SeCreatePagefilePrivilege 2788 msiexec.exe Token: SeCreatePermanentPrivilege 2788 msiexec.exe Token: SeBackupPrivilege 2788 msiexec.exe Token: SeRestorePrivilege 2788 msiexec.exe Token: SeShutdownPrivilege 2788 msiexec.exe Token: SeDebugPrivilege 2788 msiexec.exe Token: SeAuditPrivilege 2788 msiexec.exe Token: SeSystemEnvironmentPrivilege 2788 msiexec.exe Token: SeChangeNotifyPrivilege 2788 msiexec.exe Token: SeRemoteShutdownPrivilege 2788 msiexec.exe Token: SeUndockPrivilege 2788 msiexec.exe Token: SeSyncAgentPrivilege 2788 msiexec.exe Token: SeEnableDelegationPrivilege 2788 msiexec.exe Token: SeManageVolumePrivilege 2788 msiexec.exe Token: SeImpersonatePrivilege 2788 msiexec.exe Token: SeCreateGlobalPrivilege 2788 msiexec.exe Token: SeCreateTokenPrivilege 2788 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2968 2928 msiexec.exe 28 PID 2928 wrote to memory of 2968 2928 msiexec.exe 28 PID 2928 wrote to memory of 2968 2928 msiexec.exe 28 PID 2928 wrote to memory of 2968 2928 msiexec.exe 28 PID 2928 wrote to memory of 2968 2928 msiexec.exe 28 PID 2928 wrote to memory of 2968 2928 msiexec.exe 28 PID 2928 wrote to memory of 2968 2928 msiexec.exe 28
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\postgresql-8.3.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2788
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B63C1C5E2976C78C995224F5C4C96EA4 C2⤵
- Loads dropped DLL
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5bc6cf0582a8d14e9d572302c6787268f
SHA13122c30abba177dd4db817f5f818230572b8d048
SHA256d799f8315ff9c247092539ad7f3197dde5931455810a880c83f296370e0b681a
SHA51206c2e07abf1b69acd40981cee62dadc6212e5ce89fb01ef792ef84ebe394a96c72c2b3d070ea575db84e42a035110dde1525d5d6e06e95cee6ba419015c400bf
-
Filesize
48KB
MD5bc6cf0582a8d14e9d572302c6787268f
SHA13122c30abba177dd4db817f5f818230572b8d048
SHA256d799f8315ff9c247092539ad7f3197dde5931455810a880c83f296370e0b681a
SHA51206c2e07abf1b69acd40981cee62dadc6212e5ce89fb01ef792ef84ebe394a96c72c2b3d070ea575db84e42a035110dde1525d5d6e06e95cee6ba419015c400bf