Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/01/2024, 04:17
240111-ewj4tsfcf9 711/01/2024, 04:09
240111-eq4laafbg6 710/01/2024, 02:48
240110-darq4scdbn 710/01/2024, 02:33
240110-c2bcrscbfl 710/01/2024, 02:10
240110-cls8msdaf5 110/01/2024, 01:31
240110-bxfw1scec5 1Analysis
-
max time kernel
101s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows -
submitted
10/01/2024, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi
Resource
win7-20231215-es
General
-
Target
DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi
-
Size
11.8MB
-
MD5
4faefc4fd0cb60e39b50f24d417d453d
-
SHA1
5414e5171126b1d768a5089feab1425a46b353b7
-
SHA256
90f0c48a16ae8cb125786333c748af1c91bcf114246c0d3757095f4ea40a00f1
-
SHA512
654b2636594ac7f135fbf282b967505f5d4c85a13c82dd06139a758c34edad6d0afe9c55640d251bffe403f5422004b1c89fc85265e2c24efa1887c78eb3446e
-
SSDEEP
98304:Kt65C+m9gSNTWV2Ppyi/+/F2ZDALVwetabp3OHX4y9rffffffffffffffffffff8:Kt6Ul9gSsVHhqowe0cX4yyOYw/x9
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2708 MsiExec.exe 2708 MsiExec.exe 2708 MsiExec.exe 2708 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2708 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI4E21.tmp msiexec.exe File created C:\Windows\Installer\f764b94.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5776.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4C0E.tmp msiexec.exe File opened for modification C:\Windows\Installer\f764b91.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4EBE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI57B6.tmp msiexec.exe File created C:\Windows\Installer\f764b91.msi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2692 msiexec.exe 2692 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 2740 msiexec.exe Token: SeIncreaseQuotaPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeSecurityPrivilege 2692 msiexec.exe Token: SeCreateTokenPrivilege 2740 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2740 msiexec.exe Token: SeLockMemoryPrivilege 2740 msiexec.exe Token: SeIncreaseQuotaPrivilege 2740 msiexec.exe Token: SeMachineAccountPrivilege 2740 msiexec.exe Token: SeTcbPrivilege 2740 msiexec.exe Token: SeSecurityPrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeLoadDriverPrivilege 2740 msiexec.exe Token: SeSystemProfilePrivilege 2740 msiexec.exe Token: SeSystemtimePrivilege 2740 msiexec.exe Token: SeProfSingleProcessPrivilege 2740 msiexec.exe Token: SeIncBasePriorityPrivilege 2740 msiexec.exe Token: SeCreatePagefilePrivilege 2740 msiexec.exe Token: SeCreatePermanentPrivilege 2740 msiexec.exe Token: SeBackupPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeShutdownPrivilege 2740 msiexec.exe Token: SeDebugPrivilege 2740 msiexec.exe Token: SeAuditPrivilege 2740 msiexec.exe Token: SeSystemEnvironmentPrivilege 2740 msiexec.exe Token: SeChangeNotifyPrivilege 2740 msiexec.exe Token: SeRemoteShutdownPrivilege 2740 msiexec.exe Token: SeUndockPrivilege 2740 msiexec.exe Token: SeSyncAgentPrivilege 2740 msiexec.exe Token: SeEnableDelegationPrivilege 2740 msiexec.exe Token: SeManageVolumePrivilege 2740 msiexec.exe Token: SeImpersonatePrivilege 2740 msiexec.exe Token: SeCreateGlobalPrivilege 2740 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2740 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2708 MsiExec.exe 2708 MsiExec.exe 2708 MsiExec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2708 2692 msiexec.exe 25 PID 2692 wrote to memory of 2708 2692 msiexec.exe 25 PID 2692 wrote to memory of 2708 2692 msiexec.exe 25 PID 2692 wrote to memory of 2708 2692 msiexec.exe 25 PID 2692 wrote to memory of 2708 2692 msiexec.exe 25 PID 2692 wrote to memory of 2708 2692 msiexec.exe 25 PID 2692 wrote to memory of 2708 2692 msiexec.exe 25
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2740
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3A07481C98C27F5B7D0B2336EC24DFC2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5653562afc32601d6b95996977e8b0b5b
SHA1611bbdb1fc1e027abce70e0495d7be1e859a23d9
SHA256f08be24f39415494788d99afbb91fb043ed8d340c63e385db2d6d733fb717ae0
SHA512b4cbb3552f558dca347efd049a784d17be034ff5cd101ed2fda766dcb5dccb96e3e5276eb675f1ab61cb35a07b312cc252144295311e2e15ad96c40b2d4ba2e4
-
Filesize
1KB
MD559f7cd9d056b00b500f6451a3cbfbd10
SHA155faa1879161d277dbe07f783c400c8b438ce9ea
SHA256c37aa3d80261ab269b9b27a77b3e586fb26c7ffd7aad5ffcca1c16c6d09114a6
SHA512cc69a4a55f9758a2b09e0b844ae4838282c887de363bb4e0a5176c1336d703025c44775339a878ef7779bfe97c60f044abc5c35c0d738d0f969cef839545ebf0
-
Filesize
25KB
MD550d60ab8c587dedd6c1ca0ad5a3dd1a0
SHA1ada06c5dfbddd51f450021774f01fbb4d0102ee9
SHA256d7055f91fe1e1aa61734b95dd56dac649aecdd7776a8af68ec4a1f79675d2820
SHA5126fb53037fff6c9d04619dd6070e24713671508aafdf13e416f4eb379492bcfffd3736401423d1fff077e4da7247760723472b054ea15d89cd4a19cd09d71f29f
-
Filesize
5KB
MD53548d83419a1e5d391a7913fb8f582aa
SHA1137006675ac72ef5beaeedf3e8579ce88511d869
SHA2568760c5c2f0ca78bfedefd4566ca0ca9f5b33be51fa6f2cd3747ffc4bbe87a3b5
SHA5129224c409928ee1a8979a482a2ab8884957bc1d1107b0cc9bb4083faac9bdb69e4ffedf23659ddcb16e0f9425d2d7ae478c22033ec02dc7d86948be4371164161
-
Filesize
45KB
MD572aae132b18d0ce64947be5851978e4a
SHA193068bfe5485a6aa2ed3091be627b0d48eff0a0d
SHA256e8f9793d6e6a7aa01f26e67c930b3d7be4c0bc7dca19a07b843bf106698a9acc
SHA512c755141740f50ef177f986bd9cdaf6496f10a3a4c5ff75f31c05cf5708eea4c11008b164586d8f8c0cd5aa1300922fa14883433a8cd9a52d7e15f1ba11c34588
-
Filesize
17KB
MD54a3178323b5bd64e58354f2355c423e9
SHA1054b4485c15d7ad579f5905c07b697095e0daf65
SHA2560ec338214012652cd968ef04c7e56a744bfabdc5796addab64280204015b6d73
SHA512024fb7685171926e53cca33b6b341c2b75b6e41df538fc11669321a7812ad73b7fe844affb69396dd9eb75d48b404d6ce04a022e4b7cf0df5879bf6140395326
-
Filesize
14KB
MD58115e5b398929201c88151f16bc41755
SHA11382b8a5d5f999ee7e7fdc7b5ca27b27ae40bd6e
SHA25634f9376031cd9e6355ea0912be689226fca9f5bd7f5e2cfce89b0086f24162ee
SHA512ff666e6acbe8d50f07e92063463c55d1f2705dc54992fcd9435afd790d51f810375355a327791c07b5f0cc01e31d3ffeea815ace18c6617c646a154553bae5fc
-
Filesize
1KB
MD59c669ba5e3d667d4b80ab8343334ef0f
SHA1b715576ecb9595419a0d57acbc3f1b4511d6929c
SHA2569a9fa12cb7cac8fa2d4980fa9a9f3813083599c1d5abce4802608610c74f0ae6
SHA512b79b9b9e16554cd16a125093ce37884bb6b49e9c17facf2ce7f752570f2835f1dd46e6e49e8666218a17ea7250707728294d0313b7835cec706dd34b51764df6