Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
1SETUP.bat
windows7-x64
7SETUP.bat
windows10-2004-x64
6UPGRADE.bat
windows7-x64
1UPGRADE.bat
windows10-2004-x64
1postgresql...nt.msi
windows7-x64
7postgresql...nt.msi
windows10-2004-x64
7postgresql-8.3.msi
windows7-x64
7postgresql-8.3.msi
windows10-2004-x64
7vcredist_x86.exe
windows7-x64
7vcredist_x86.exe
windows10-2004-x64
6Analysis
-
max time kernel
118s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
SETUP.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral2
Sample
SETUP.bat
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
UPGRADE.bat
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral4
Sample
UPGRADE.bat
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
postgresql-8.3-int.msi
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral6
Sample
postgresql-8.3-int.msi
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
postgresql-8.3.msi
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral8
Sample
postgresql-8.3.msi
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
vcredist_x86.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral10
Sample
vcredist_x86.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
postgresql-8.3-int.msi
-
Size
23.8MB
-
MD5
ec78c9a48eb0f1a5d645b26c8cb73c7c
-
SHA1
af7e55be5345a002d497946e86c5f1067124e1ef
-
SHA256
498fc55a80f590b6eea38492cee53cb71d5e652ea8c0f4cb45a85e5b20e615eb
-
SHA512
cda5797cb0d0bd57188194ca89dab073989f14f23faaf779f59922dc9198275a0159beaed9ad979b35a1de7c0fc7cb16c668139cc1c1b32711a4d14d1b19657e
-
SSDEEP
393216:+X9bU4kUZeCeOwmiZn4xXaHddwZW+MpGThFiaff/J4WZtde9Skc3+ARhNEkasOEe:+XloSejOwbZnWaHbvCiaXtZtdesv3nRg
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2636 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1916 msiexec.exe Token: SeIncreaseQuotaPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 2924 msiexec.exe Token: SeTakeOwnershipPrivilege 2924 msiexec.exe Token: SeSecurityPrivilege 2924 msiexec.exe Token: SeCreateTokenPrivilege 1916 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1916 msiexec.exe Token: SeLockMemoryPrivilege 1916 msiexec.exe Token: SeIncreaseQuotaPrivilege 1916 msiexec.exe Token: SeMachineAccountPrivilege 1916 msiexec.exe Token: SeTcbPrivilege 1916 msiexec.exe Token: SeSecurityPrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeLoadDriverPrivilege 1916 msiexec.exe Token: SeSystemProfilePrivilege 1916 msiexec.exe Token: SeSystemtimePrivilege 1916 msiexec.exe Token: SeProfSingleProcessPrivilege 1916 msiexec.exe Token: SeIncBasePriorityPrivilege 1916 msiexec.exe Token: SeCreatePagefilePrivilege 1916 msiexec.exe Token: SeCreatePermanentPrivilege 1916 msiexec.exe Token: SeBackupPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeShutdownPrivilege 1916 msiexec.exe Token: SeDebugPrivilege 1916 msiexec.exe Token: SeAuditPrivilege 1916 msiexec.exe Token: SeSystemEnvironmentPrivilege 1916 msiexec.exe Token: SeChangeNotifyPrivilege 1916 msiexec.exe Token: SeRemoteShutdownPrivilege 1916 msiexec.exe Token: SeUndockPrivilege 1916 msiexec.exe Token: SeSyncAgentPrivilege 1916 msiexec.exe Token: SeEnableDelegationPrivilege 1916 msiexec.exe Token: SeManageVolumePrivilege 1916 msiexec.exe Token: SeImpersonatePrivilege 1916 msiexec.exe Token: SeCreateGlobalPrivilege 1916 msiexec.exe Token: SeCreateTokenPrivilege 1916 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1916 msiexec.exe Token: SeLockMemoryPrivilege 1916 msiexec.exe Token: SeIncreaseQuotaPrivilege 1916 msiexec.exe Token: SeMachineAccountPrivilege 1916 msiexec.exe Token: SeTcbPrivilege 1916 msiexec.exe Token: SeSecurityPrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeLoadDriverPrivilege 1916 msiexec.exe Token: SeSystemProfilePrivilege 1916 msiexec.exe Token: SeSystemtimePrivilege 1916 msiexec.exe Token: SeProfSingleProcessPrivilege 1916 msiexec.exe Token: SeIncBasePriorityPrivilege 1916 msiexec.exe Token: SeCreatePagefilePrivilege 1916 msiexec.exe Token: SeCreatePermanentPrivilege 1916 msiexec.exe Token: SeBackupPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeShutdownPrivilege 1916 msiexec.exe Token: SeDebugPrivilege 1916 msiexec.exe Token: SeAuditPrivilege 1916 msiexec.exe Token: SeSystemEnvironmentPrivilege 1916 msiexec.exe Token: SeChangeNotifyPrivilege 1916 msiexec.exe Token: SeRemoteShutdownPrivilege 1916 msiexec.exe Token: SeUndockPrivilege 1916 msiexec.exe Token: SeSyncAgentPrivilege 1916 msiexec.exe Token: SeEnableDelegationPrivilege 1916 msiexec.exe Token: SeManageVolumePrivilege 1916 msiexec.exe Token: SeImpersonatePrivilege 1916 msiexec.exe Token: SeCreateGlobalPrivilege 1916 msiexec.exe Token: SeCreateTokenPrivilege 1916 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1916 msiexec.exe 1916 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2636 2924 msiexec.exe 29 PID 2924 wrote to memory of 2636 2924 msiexec.exe 29 PID 2924 wrote to memory of 2636 2924 msiexec.exe 29 PID 2924 wrote to memory of 2636 2924 msiexec.exe 29 PID 2924 wrote to memory of 2636 2924 msiexec.exe 29 PID 2924 wrote to memory of 2636 2924 msiexec.exe 29 PID 2924 wrote to memory of 2636 2924 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\postgresql-8.3-int.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA8A386BAA5851715C7E9965C81D7FD C2⤵
- Loads dropped DLL
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5477d70db001b8994f6c03fc863150537
SHA1edd79dbab310a1f94e0d83526647b4456835843e
SHA256da41c1abc8528f9b32ce9df854acd3527a89dd85134392cd42bbc9bf71289958
SHA5127ab0ddd70e4188465548e1834a159d88ee71005985810acd8c8f3bc77526a8cb2f8bec17de0cd8338d81629dbed3fc900f13c90d5019bfd3034e23065f5ff4b7
-
Filesize
348KB
MD5477d70db001b8994f6c03fc863150537
SHA1edd79dbab310a1f94e0d83526647b4456835843e
SHA256da41c1abc8528f9b32ce9df854acd3527a89dd85134392cd42bbc9bf71289958
SHA5127ab0ddd70e4188465548e1834a159d88ee71005985810acd8c8f3bc77526a8cb2f8bec17de0cd8338d81629dbed3fc900f13c90d5019bfd3034e23065f5ff4b7