Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
1SETUP.bat
windows7-x64
7SETUP.bat
windows10-2004-x64
6UPGRADE.bat
windows7-x64
1UPGRADE.bat
windows10-2004-x64
1postgresql...nt.msi
windows7-x64
7postgresql...nt.msi
windows10-2004-x64
7postgresql-8.3.msi
windows7-x64
7postgresql-8.3.msi
windows10-2004-x64
7vcredist_x86.exe
windows7-x64
7vcredist_x86.exe
windows10-2004-x64
6Analysis
-
max time kernel
145s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
SETUP.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral2
Sample
SETUP.bat
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
UPGRADE.bat
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral4
Sample
UPGRADE.bat
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
postgresql-8.3-int.msi
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral6
Sample
postgresql-8.3-int.msi
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
postgresql-8.3.msi
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral8
Sample
postgresql-8.3.msi
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
vcredist_x86.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral10
Sample
vcredist_x86.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
postgresql-8.3-int.msi
-
Size
23.8MB
-
MD5
ec78c9a48eb0f1a5d645b26c8cb73c7c
-
SHA1
af7e55be5345a002d497946e86c5f1067124e1ef
-
SHA256
498fc55a80f590b6eea38492cee53cb71d5e652ea8c0f4cb45a85e5b20e615eb
-
SHA512
cda5797cb0d0bd57188194ca89dab073989f14f23faaf779f59922dc9198275a0159beaed9ad979b35a1de7c0fc7cb16c668139cc1c1b32711a4d14d1b19657e
-
SSDEEP
393216:+X9bU4kUZeCeOwmiZn4xXaHddwZW+MpGThFiaff/J4WZtde9Skc3+ARhNEkasOEe:+XloSejOwbZnWaHbvCiaXtZtdesv3nRg
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4024 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1692 msiexec.exe Token: SeIncreaseQuotaPrivilege 1692 msiexec.exe Token: SeSecurityPrivilege 4140 msiexec.exe Token: SeCreateTokenPrivilege 1692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1692 msiexec.exe Token: SeLockMemoryPrivilege 1692 msiexec.exe Token: SeIncreaseQuotaPrivilege 1692 msiexec.exe Token: SeMachineAccountPrivilege 1692 msiexec.exe Token: SeTcbPrivilege 1692 msiexec.exe Token: SeSecurityPrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeLoadDriverPrivilege 1692 msiexec.exe Token: SeSystemProfilePrivilege 1692 msiexec.exe Token: SeSystemtimePrivilege 1692 msiexec.exe Token: SeProfSingleProcessPrivilege 1692 msiexec.exe Token: SeIncBasePriorityPrivilege 1692 msiexec.exe Token: SeCreatePagefilePrivilege 1692 msiexec.exe Token: SeCreatePermanentPrivilege 1692 msiexec.exe Token: SeBackupPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeShutdownPrivilege 1692 msiexec.exe Token: SeDebugPrivilege 1692 msiexec.exe Token: SeAuditPrivilege 1692 msiexec.exe Token: SeSystemEnvironmentPrivilege 1692 msiexec.exe Token: SeChangeNotifyPrivilege 1692 msiexec.exe Token: SeRemoteShutdownPrivilege 1692 msiexec.exe Token: SeUndockPrivilege 1692 msiexec.exe Token: SeSyncAgentPrivilege 1692 msiexec.exe Token: SeEnableDelegationPrivilege 1692 msiexec.exe Token: SeManageVolumePrivilege 1692 msiexec.exe Token: SeImpersonatePrivilege 1692 msiexec.exe Token: SeCreateGlobalPrivilege 1692 msiexec.exe Token: SeCreateTokenPrivilege 1692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1692 msiexec.exe Token: SeLockMemoryPrivilege 1692 msiexec.exe Token: SeIncreaseQuotaPrivilege 1692 msiexec.exe Token: SeMachineAccountPrivilege 1692 msiexec.exe Token: SeTcbPrivilege 1692 msiexec.exe Token: SeSecurityPrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeLoadDriverPrivilege 1692 msiexec.exe Token: SeSystemProfilePrivilege 1692 msiexec.exe Token: SeSystemtimePrivilege 1692 msiexec.exe Token: SeProfSingleProcessPrivilege 1692 msiexec.exe Token: SeIncBasePriorityPrivilege 1692 msiexec.exe Token: SeCreatePagefilePrivilege 1692 msiexec.exe Token: SeCreatePermanentPrivilege 1692 msiexec.exe Token: SeBackupPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeShutdownPrivilege 1692 msiexec.exe Token: SeDebugPrivilege 1692 msiexec.exe Token: SeAuditPrivilege 1692 msiexec.exe Token: SeSystemEnvironmentPrivilege 1692 msiexec.exe Token: SeChangeNotifyPrivilege 1692 msiexec.exe Token: SeRemoteShutdownPrivilege 1692 msiexec.exe Token: SeUndockPrivilege 1692 msiexec.exe Token: SeSyncAgentPrivilege 1692 msiexec.exe Token: SeEnableDelegationPrivilege 1692 msiexec.exe Token: SeManageVolumePrivilege 1692 msiexec.exe Token: SeImpersonatePrivilege 1692 msiexec.exe Token: SeCreateGlobalPrivilege 1692 msiexec.exe Token: SeCreateTokenPrivilege 1692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1692 msiexec.exe Token: SeLockMemoryPrivilege 1692 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1692 msiexec.exe 1692 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4140 wrote to memory of 4024 4140 msiexec.exe 90 PID 4140 wrote to memory of 4024 4140 msiexec.exe 90 PID 4140 wrote to memory of 4024 4140 msiexec.exe 90
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\postgresql-8.3-int.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1692
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B40D84CA64D3B5CBDF451AF353ED5B1D C2⤵
- Loads dropped DLL
PID:4024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5477d70db001b8994f6c03fc863150537
SHA1edd79dbab310a1f94e0d83526647b4456835843e
SHA256da41c1abc8528f9b32ce9df854acd3527a89dd85134392cd42bbc9bf71289958
SHA5127ab0ddd70e4188465548e1834a159d88ee71005985810acd8c8f3bc77526a8cb2f8bec17de0cd8338d81629dbed3fc900f13c90d5019bfd3034e23065f5ff4b7
-
Filesize
348KB
MD5477d70db001b8994f6c03fc863150537
SHA1edd79dbab310a1f94e0d83526647b4456835843e
SHA256da41c1abc8528f9b32ce9df854acd3527a89dd85134392cd42bbc9bf71289958
SHA5127ab0ddd70e4188465548e1834a159d88ee71005985810acd8c8f3bc77526a8cb2f8bec17de0cd8338d81629dbed3fc900f13c90d5019bfd3034e23065f5ff4b7