Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3ChangeIt21...iA.exe
windows7-x64
7ChangeIt21...iA.exe
windows10-2004-x64
7ChangeIt21...iW.exe
windows7-x64
7ChangeIt21...iW.exe
windows10-2004-x64
7ChangeIt211/Setup.exe
windows7-x64
6ChangeIt211/Setup.exe
windows10-2004-x64
6ChangeIt211/Setup.msi
windows7-x64
6ChangeIt211/Setup.msi
windows10-2004-x64
6Analysis
-
max time kernel
155s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
ChangeIt211/InstMsiA.exe
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral2
Sample
ChangeIt211/InstMsiA.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ChangeIt211/InstMsiW.exe
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral4
Sample
ChangeIt211/InstMsiW.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ChangeIt211/Setup.exe
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral6
Sample
ChangeIt211/Setup.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ChangeIt211/Setup.msi
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral8
Sample
ChangeIt211/Setup.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
ChangeIt211/Setup.exe
-
Size
64KB
-
MD5
1b7af5de542aced976404383416f6722
-
SHA1
1f28ddc8dbfc58a6c627669e56673d914a9a6c5c
-
SHA256
f7fb208405fdbb321f10a161fc3b785706d2cea17b30d2d2196f03e900a79126
-
SHA512
04f3615149839cdd2737d6a837fc69d2ab181b94a4563b67eaf95d76b8a4009dba0f02b4bcefa1c5a5fb496dd80a15f373214e71c3612016f19265c3b28ddda5
-
SSDEEP
1536:Sv6jLwUkDK9VTR79jdqgr69rhswJlXOPJ6XcfU:SewUdV79jdaD+PJ6XcfU
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: MsiExec.exe File opened (read-only) \??\N: MsiExec.exe File opened (read-only) \??\U: MsiExec.exe File opened (read-only) \??\A: MsiExec.exe File opened (read-only) \??\I: MsiExec.exe File opened (read-only) \??\H: MsiExec.exe File opened (read-only) \??\K: MsiExec.exe File opened (read-only) \??\M: MsiExec.exe File opened (read-only) \??\P: MsiExec.exe File opened (read-only) \??\W: MsiExec.exe File opened (read-only) \??\X: MsiExec.exe File opened (read-only) \??\B: MsiExec.exe File opened (read-only) \??\E: MsiExec.exe File opened (read-only) \??\S: MsiExec.exe File opened (read-only) \??\T: MsiExec.exe File opened (read-only) \??\V: MsiExec.exe File opened (read-only) \??\Y: MsiExec.exe File opened (read-only) \??\Z: MsiExec.exe File opened (read-only) \??\O: MsiExec.exe File opened (read-only) \??\R: MsiExec.exe File opened (read-only) \??\Q: MsiExec.exe File opened (read-only) \??\G: MsiExec.exe File opened (read-only) \??\L: MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 700 MsiExec.exe Token: SeIncreaseQuotaPrivilege 700 MsiExec.exe Token: SeSecurityPrivilege 4976 msiexec.exe Token: SeCreateTokenPrivilege 700 MsiExec.exe Token: SeAssignPrimaryTokenPrivilege 700 MsiExec.exe Token: SeLockMemoryPrivilege 700 MsiExec.exe Token: SeIncreaseQuotaPrivilege 700 MsiExec.exe Token: SeMachineAccountPrivilege 700 MsiExec.exe Token: SeTcbPrivilege 700 MsiExec.exe Token: SeSecurityPrivilege 700 MsiExec.exe Token: SeTakeOwnershipPrivilege 700 MsiExec.exe Token: SeLoadDriverPrivilege 700 MsiExec.exe Token: SeSystemProfilePrivilege 700 MsiExec.exe Token: SeSystemtimePrivilege 700 MsiExec.exe Token: SeProfSingleProcessPrivilege 700 MsiExec.exe Token: SeIncBasePriorityPrivilege 700 MsiExec.exe Token: SeCreatePagefilePrivilege 700 MsiExec.exe Token: SeCreatePermanentPrivilege 700 MsiExec.exe Token: SeBackupPrivilege 700 MsiExec.exe Token: SeRestorePrivilege 700 MsiExec.exe Token: SeShutdownPrivilege 700 MsiExec.exe Token: SeDebugPrivilege 700 MsiExec.exe Token: SeAuditPrivilege 700 MsiExec.exe Token: SeSystemEnvironmentPrivilege 700 MsiExec.exe Token: SeChangeNotifyPrivilege 700 MsiExec.exe Token: SeRemoteShutdownPrivilege 700 MsiExec.exe Token: SeUndockPrivilege 700 MsiExec.exe Token: SeSyncAgentPrivilege 700 MsiExec.exe Token: SeEnableDelegationPrivilege 700 MsiExec.exe Token: SeManageVolumePrivilege 700 MsiExec.exe Token: SeImpersonatePrivilege 700 MsiExec.exe Token: SeCreateGlobalPrivilege 700 MsiExec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 700 MsiExec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2424 wrote to memory of 700 2424 Setup.exe 88 PID 2424 wrote to memory of 700 2424 Setup.exe 88 PID 2424 wrote to memory of 700 2424 Setup.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChangeIt211\Setup.exe"C:\Users\Admin\AppData\Local\Temp\ChangeIt211\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\MsiExec.exe/i "C:\Users\Admin\AppData\Local\Temp\ChangeIt211\Setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:700
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976