Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/01/2024, 04:17
240111-ewj4tsfcf9 711/01/2024, 04:09
240111-eq4laafbg6 710/01/2024, 02:48
240110-darq4scdbn 710/01/2024, 02:33
240110-c2bcrscbfl 710/01/2024, 02:10
240110-cls8msdaf5 110/01/2024, 01:31
240110-bxfw1scec5 1Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows -
submitted
11/01/2024, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
mal.zip
Resource
win7-20231215-es
Behavioral task
behavioral2
Sample
mal.zip
Resource
win10v2004-20231215-es
General
-
Target
mal.zip
-
Size
4.5MB
-
MD5
15a36183a2d2c4a43f7f203548fbcb04
-
SHA1
3ce2a3904eeef714abec465b55a0c20f6e47b079
-
SHA256
ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
-
SHA512
67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
-
SSDEEP
98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1616 MsiExec.exe 1616 MsiExec.exe 1616 MsiExec.exe 1616 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1616 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7916.tmp msiexec.exe File created C:\Windows\Installer\f7778bc.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA0D4.tmp msiexec.exe File created C:\Windows\Installer\f7778b9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7CDE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D5C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA134.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7778bc.ipi msiexec.exe File opened for modification C:\Windows\Installer\f7778b9.msi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 msiexec.exe 2908 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 784 msiexec.exe Token: SeIncreaseQuotaPrivilege 784 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeSecurityPrivilege 2908 msiexec.exe Token: SeCreateTokenPrivilege 784 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 784 msiexec.exe Token: SeLockMemoryPrivilege 784 msiexec.exe Token: SeIncreaseQuotaPrivilege 784 msiexec.exe Token: SeMachineAccountPrivilege 784 msiexec.exe Token: SeTcbPrivilege 784 msiexec.exe Token: SeSecurityPrivilege 784 msiexec.exe Token: SeTakeOwnershipPrivilege 784 msiexec.exe Token: SeLoadDriverPrivilege 784 msiexec.exe Token: SeSystemProfilePrivilege 784 msiexec.exe Token: SeSystemtimePrivilege 784 msiexec.exe Token: SeProfSingleProcessPrivilege 784 msiexec.exe Token: SeIncBasePriorityPrivilege 784 msiexec.exe Token: SeCreatePagefilePrivilege 784 msiexec.exe Token: SeCreatePermanentPrivilege 784 msiexec.exe Token: SeBackupPrivilege 784 msiexec.exe Token: SeRestorePrivilege 784 msiexec.exe Token: SeShutdownPrivilege 784 msiexec.exe Token: SeDebugPrivilege 784 msiexec.exe Token: SeAuditPrivilege 784 msiexec.exe Token: SeSystemEnvironmentPrivilege 784 msiexec.exe Token: SeChangeNotifyPrivilege 784 msiexec.exe Token: SeRemoteShutdownPrivilege 784 msiexec.exe Token: SeUndockPrivilege 784 msiexec.exe Token: SeSyncAgentPrivilege 784 msiexec.exe Token: SeEnableDelegationPrivilege 784 msiexec.exe Token: SeManageVolumePrivilege 784 msiexec.exe Token: SeImpersonatePrivilege 784 msiexec.exe Token: SeCreateGlobalPrivilege 784 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe Token: SeRestorePrivilege 2908 msiexec.exe Token: SeTakeOwnershipPrivilege 2908 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 784 msiexec.exe 784 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1616 MsiExec.exe 1616 MsiExec.exe 1616 MsiExec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2908 wrote to memory of 1616 2908 msiexec.exe 38 PID 2908 wrote to memory of 1616 2908 msiexec.exe 38 PID 2908 wrote to memory of 1616 2908 msiexec.exe 38 PID 2908 wrote to memory of 1616 2908 msiexec.exe 38 PID 2908 wrote to memory of 1616 2908 msiexec.exe 38 PID 2908 wrote to memory of 1616 2908 msiexec.exe 38 PID 2908 wrote to memory of 1616 2908 msiexec.exe 38
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip1⤵PID:1864
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2356
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C71F1C73CC2B2C0E9DB00CE3327AD512⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
1.3MB
MD56b7952f75226dbee67b821475293fcd8
SHA124b6101ab65b2676166aa5117eaa0aacd8c7442a
SHA2567f5b7e6b865e4df50ee082520e0264124581f30681767b7051a168024389f53a
SHA512678ca43275105200c127af34713569398e46853c40e4d420259d48d20ced8f11c0f183260faa1f17a8961074fab82c4ceb5a3dd1333d80f06a638683eef3009f
-
Filesize
623KB
MD525845a7ef27d60301cfe4b74f72c3dac
SHA11b705544bc09da4adb2f9e78726ee6b2064c787c
SHA25663653f890a72bd56e6f8ba9ee348db614c36f8808d15d4de7e543a1d5afa89e2
SHA5126017850469aa0888ca6ab0fb887ec7c7e4cc5743794919069292bde845b3dc6ba5999284e93e9244fef48c9ea0d952b66fd02153615634b95f56cc8321fec753