Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/01/2024, 04:17
240111-ewj4tsfcf9 711/01/2024, 04:09
240111-eq4laafbg6 710/01/2024, 02:48
240110-darq4scdbn 710/01/2024, 02:33
240110-c2bcrscbfl 710/01/2024, 02:10
240110-cls8msdaf5 110/01/2024, 01:31
240110-bxfw1scec5 1Analysis
-
max time kernel
759s -
max time network
651s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows -
submitted
10/01/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
mal.zip
Resource
win7-20231215-es
General
-
Target
mal.zip
-
Size
4.5MB
-
MD5
15a36183a2d2c4a43f7f203548fbcb04
-
SHA1
3ce2a3904eeef714abec465b55a0c20f6e47b079
-
SHA256
ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
-
SHA512
67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
-
SSDEEP
98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1380 MsiExec.exe 1380 MsiExec.exe 1380 MsiExec.exe 1380 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1380 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f7dda29.msi msiexec.exe File opened for modification C:\Windows\Installer\f7dda29.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDB14.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDB92.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDC50.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA58.tmp msiexec.exe File created C:\Windows\Installer\f7dda2c.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIDC3F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7dda2c.ipi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1096 msiexec.exe 1096 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 2292 msiexec.exe Token: SeIncreaseQuotaPrivilege 2292 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 1096 msiexec.exe Token: SeCreateTokenPrivilege 2292 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2292 msiexec.exe Token: SeLockMemoryPrivilege 2292 msiexec.exe Token: SeIncreaseQuotaPrivilege 2292 msiexec.exe Token: SeMachineAccountPrivilege 2292 msiexec.exe Token: SeTcbPrivilege 2292 msiexec.exe Token: SeSecurityPrivilege 2292 msiexec.exe Token: SeTakeOwnershipPrivilege 2292 msiexec.exe Token: SeLoadDriverPrivilege 2292 msiexec.exe Token: SeSystemProfilePrivilege 2292 msiexec.exe Token: SeSystemtimePrivilege 2292 msiexec.exe Token: SeProfSingleProcessPrivilege 2292 msiexec.exe Token: SeIncBasePriorityPrivilege 2292 msiexec.exe Token: SeCreatePagefilePrivilege 2292 msiexec.exe Token: SeCreatePermanentPrivilege 2292 msiexec.exe Token: SeBackupPrivilege 2292 msiexec.exe Token: SeRestorePrivilege 2292 msiexec.exe Token: SeShutdownPrivilege 2292 msiexec.exe Token: SeDebugPrivilege 2292 msiexec.exe Token: SeAuditPrivilege 2292 msiexec.exe Token: SeSystemEnvironmentPrivilege 2292 msiexec.exe Token: SeChangeNotifyPrivilege 2292 msiexec.exe Token: SeRemoteShutdownPrivilege 2292 msiexec.exe Token: SeUndockPrivilege 2292 msiexec.exe Token: SeSyncAgentPrivilege 2292 msiexec.exe Token: SeEnableDelegationPrivilege 2292 msiexec.exe Token: SeManageVolumePrivilege 2292 msiexec.exe Token: SeImpersonatePrivilege 2292 msiexec.exe Token: SeCreateGlobalPrivilege 2292 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2292 msiexec.exe 2292 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1380 MsiExec.exe 1380 MsiExec.exe 1380 MsiExec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1380 1096 msiexec.exe 41 PID 1096 wrote to memory of 1380 1096 msiexec.exe 41 PID 1096 wrote to memory of 1380 1096 msiexec.exe 41 PID 1096 wrote to memory of 1380 1096 msiexec.exe 41 PID 1096 wrote to memory of 1380 1096 msiexec.exe 41 PID 1096 wrote to memory of 1380 1096 msiexec.exe 41 PID 1096 wrote to memory of 1380 1096 msiexec.exe 41
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip1⤵PID:2468
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2276
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_mal.zip\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2292
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E963C6514D275F918699A346009605A42⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:1380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD593805af627130d7002e4934bcb5b8f8f
SHA1822d788d28622057ac1d78638452c229124ace43
SHA2563cdf679e98f82f66fb849f4f498964caf20af0c373d9acc8b08a43202c87637e
SHA512d176c047ea8b3e7e83edae66d35621be57b1e1aaff69e076a037afeb91624d4661876de1070c4e75826e56c3ecff2db31f4b19db14f3b4178c1556ed0a76a6d4
-
Filesize
167KB
MD5da5959ef13aee0c3fc6e78805cde2174
SHA1064be7ec933c37df6301c4c52c683f6f751e84c1
SHA256dbbe033dc563ad2a81d5e18d995cb3a4935f3033f2712735c2a3c58123e7b2a2
SHA512dc618bf01f7f6041b133a929ec949f1dd167267d891f80cadde47f9efc88e60743481cfbdfa4d7325b8fff1a9e000ec897d8cb226194d3a3aae5a3bcc985ddea
-
Filesize
189KB
MD582c77f3cc2344fffbfcd6de6201f41fc
SHA1e971462953bb1ece309cfde6e765244ff214786c
SHA256b1dda5ac234ade98a7fa4387500ffc15b3cae71699cc5c4f6e997ad66b1ee3b0
SHA5122208174245e2ad8ce7937558914f58ca052900d8a212c889ebbddde24e859af0a55ccb19496d2282708c859861f5aa5b6e9a1c52c4dffc931e42103510c099e0
-
Filesize
223KB
MD565b40089526a9d74125b2ec019f1c06b
SHA195fa3b6b0700c06138551091475c7e50de0920e0
SHA256f6f3a9be523d244b6282ab1f4ff415f945aa5bc58ce019f18c0cf32349cd9799
SHA5120d4010c6a1135e8862a714d31c915486942627497b7a3066c1488317a756797e01f71c38899d138836af8e0769f9a6e9828d1765a0007fae3c20a26f44d163f1
-
Filesize
45KB
MD51fb4586f49828adba9b0f0fe466d4520
SHA1fa19b4de7b6da03a26d6fc85359dc73da20f0bfb
SHA256293c8f129046da419f8b04251073905e9c21d269d1c3b91112265392ac34b14f
SHA51213c8674c7acbd6667134c2e5187b77534fc19aaa463adb6091dc7afacc27fc63eccdb5735090066259f63434fb786a6fe1e161ed56c0490775821c4f7b751b3f
-
Filesize
315KB
MD551cda5c59cc355b42a51cba82a214af4
SHA1dfc6318c8cdfeb9479f0efd426d866586f6ad4b7
SHA2569255ef3c4b553390f52f678c9a641fd10778f64f9f9452473a7cbe2fab4eb05a
SHA5126194990bbed67de6053843b1abf22fcd51706d23713f774b1b4b05e9a616d7d180609249058d8bebc45e1d36728753086296807a04b69b1479b27190e8e8b91a
-
Filesize
126KB
MD5492303ef60d2dc2cbbd8ea08438233f9
SHA1dde214f593e63a7e6228f19aa02cfad15594acd0
SHA256574ff40dceb1491e5426ab85be189ff5e8cbf6e88d25c59ab59e18213e699347
SHA512761c49f00ac14c6ff29e95ac6183f5b714b49847cdac3075b9f6d53f7e879f0c0f372af0bca8d4d83b9b81cb917cf2980ce25d0ab86f19430591298156843df0
-
Filesize
56KB
MD56fd32f227b593c20c9a1b0ae946e69d9
SHA17d2bb9c5fcce4cb3c63fc74664a80e29d8e03722
SHA256d259505d96fc38542333e3f9fb1aacf5fc8533fd8755a57167830277bc65d15a
SHA51224341f9469882e7c4c2e395460cb84babeafc2cce81c4a7aa8aea79c89c3820e0c55440faefbd05cfb26b804efe6a8c3ed08e75bf1694520dcb6f693ac035d6f
-
Filesize
198KB
MD5fdef7ab18380fabf88eda1c50795ae86
SHA18ae79ead3eb162d15c67522d22c5cbb02d864629
SHA2562094d4346b48bd9ac6dd78d9eaf2faf9a801ffd1d27e7ee9c342ff33fe05a11a
SHA51296b6f2cbe580f79042e66bc10bce3b38fa6cb9294cc84ded299df1496fa5031857f8ccbf9a8c43f2d4985b0434b8eb2586a88051909b20830dbe10669fb20c1b