Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
BakerBoostApp.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
BakerBoostApp.msi
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
setup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Пак/Специальн. твики/1_Activator.bat
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Пак/Специальн. твики/1_Activator.bat
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Пак/Специальн. твики/Network_Tweaks.bat
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Пак/Специальн. твики/Network_Tweaks.bat
Resource
win10v2004-20231215-en
General
-
Target
BakerBoostApp.msi
-
Size
5.9MB
-
MD5
9a05e7497c5a2baee4b4c314e832092e
-
SHA1
cbd8cdae6c39e1febcd52302d217e9cfec85ce6a
-
SHA256
0983c7e6d076e8006fa88d51e1363f275e009d6aa104eeab75cb6d228d708f38
-
SHA512
d837c08d8f38925bd8056e3a70d62299a84c0eba01e272a7ff5239f83e889c72f7e3e1e9be400cebf66d2c66fc4210f037aa69d89d51a8c33323d9400bb76f79
-
SSDEEP
49152:zJrYicL5MDwBMmImZTWsQcqh1fdG1CYlhazcpA3W6O4Ho9vH:1Yic5M/kTjAdGngimOx/
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1980 MsiExec.exe 1980 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1752 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1752 msiexec.exe Token: SeIncreaseQuotaPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeSecurityPrivilege 3016 msiexec.exe Token: SeCreateTokenPrivilege 1752 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1752 msiexec.exe Token: SeLockMemoryPrivilege 1752 msiexec.exe Token: SeIncreaseQuotaPrivilege 1752 msiexec.exe Token: SeMachineAccountPrivilege 1752 msiexec.exe Token: SeTcbPrivilege 1752 msiexec.exe Token: SeSecurityPrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeLoadDriverPrivilege 1752 msiexec.exe Token: SeSystemProfilePrivilege 1752 msiexec.exe Token: SeSystemtimePrivilege 1752 msiexec.exe Token: SeProfSingleProcessPrivilege 1752 msiexec.exe Token: SeIncBasePriorityPrivilege 1752 msiexec.exe Token: SeCreatePagefilePrivilege 1752 msiexec.exe Token: SeCreatePermanentPrivilege 1752 msiexec.exe Token: SeBackupPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeShutdownPrivilege 1752 msiexec.exe Token: SeDebugPrivilege 1752 msiexec.exe Token: SeAuditPrivilege 1752 msiexec.exe Token: SeSystemEnvironmentPrivilege 1752 msiexec.exe Token: SeChangeNotifyPrivilege 1752 msiexec.exe Token: SeRemoteShutdownPrivilege 1752 msiexec.exe Token: SeUndockPrivilege 1752 msiexec.exe Token: SeSyncAgentPrivilege 1752 msiexec.exe Token: SeEnableDelegationPrivilege 1752 msiexec.exe Token: SeManageVolumePrivilege 1752 msiexec.exe Token: SeImpersonatePrivilege 1752 msiexec.exe Token: SeCreateGlobalPrivilege 1752 msiexec.exe Token: SeCreateTokenPrivilege 1752 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1752 msiexec.exe Token: SeLockMemoryPrivilege 1752 msiexec.exe Token: SeIncreaseQuotaPrivilege 1752 msiexec.exe Token: SeMachineAccountPrivilege 1752 msiexec.exe Token: SeTcbPrivilege 1752 msiexec.exe Token: SeSecurityPrivilege 1752 msiexec.exe Token: SeTakeOwnershipPrivilege 1752 msiexec.exe Token: SeLoadDriverPrivilege 1752 msiexec.exe Token: SeSystemProfilePrivilege 1752 msiexec.exe Token: SeSystemtimePrivilege 1752 msiexec.exe Token: SeProfSingleProcessPrivilege 1752 msiexec.exe Token: SeIncBasePriorityPrivilege 1752 msiexec.exe Token: SeCreatePagefilePrivilege 1752 msiexec.exe Token: SeCreatePermanentPrivilege 1752 msiexec.exe Token: SeBackupPrivilege 1752 msiexec.exe Token: SeRestorePrivilege 1752 msiexec.exe Token: SeShutdownPrivilege 1752 msiexec.exe Token: SeDebugPrivilege 1752 msiexec.exe Token: SeAuditPrivilege 1752 msiexec.exe Token: SeSystemEnvironmentPrivilege 1752 msiexec.exe Token: SeChangeNotifyPrivilege 1752 msiexec.exe Token: SeRemoteShutdownPrivilege 1752 msiexec.exe Token: SeUndockPrivilege 1752 msiexec.exe Token: SeSyncAgentPrivilege 1752 msiexec.exe Token: SeEnableDelegationPrivilege 1752 msiexec.exe Token: SeManageVolumePrivilege 1752 msiexec.exe Token: SeImpersonatePrivilege 1752 msiexec.exe Token: SeCreateGlobalPrivilege 1752 msiexec.exe Token: SeCreateTokenPrivilege 1752 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1752 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3016 wrote to memory of 1980 3016 msiexec.exe 29 PID 3016 wrote to memory of 1980 3016 msiexec.exe 29 PID 3016 wrote to memory of 1980 3016 msiexec.exe 29 PID 3016 wrote to memory of 1980 3016 msiexec.exe 29 PID 3016 wrote to memory of 1980 3016 msiexec.exe 29 PID 3016 wrote to memory of 1980 3016 msiexec.exe 29 PID 3016 wrote to memory of 1980 3016 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BakerBoostApp.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F352F4030E575E29762003C25CC956A0 C2⤵
- Loads dropped DLL
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
128KB
MD5e7130356ea53496ddece977e9ba65f8d
SHA1304cffc716bb076df33a19c5704efbf4e4d4b261
SHA25658f3eb99af59d604882036ade8c1322e7bad372f54f51dc06ce8d4f38ed32e2f
SHA512dee8eb360073801deb705523417763e2a16dc33d6c586fed32891cf327e521f2670bbe9419aeaa9065e90ac9fa76e258242e65fd7c3c981a2a6906d87c514142
-
Filesize
192KB
MD560e67248c2bbebdd7a5d5d08dbd0a558
SHA1eaf4fa8717ceb45d1a1efe1e47590bdd1a314a39
SHA2569195d846a0107df9a90a1ea6912a0da8addbd6cb6d7c4f2ace6736d597a09938
SHA51211739ea89f4e33cea0d067b0911f62d0f1ad884b4c5fd6008676bb6d779b624171c151fbd786ac517e8e7fc02ede8d822d32baedc6318c951059bad8f6fc8bd5