Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/01/2024, 04:17
240111-ewj4tsfcf9 711/01/2024, 04:09
240111-eq4laafbg6 710/01/2024, 02:48
240110-darq4scdbn 710/01/2024, 02:33
240110-c2bcrscbfl 710/01/2024, 02:10
240110-cls8msdaf5 110/01/2024, 01:31
240110-bxfw1scec5 1Analysis
-
max time kernel
172s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-es -
resource tags
arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
11/01/2024, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
mal.zip
Resource
win7-20231215-es
Behavioral task
behavioral2
Sample
mal.zip
Resource
win10v2004-20231215-es
General
-
Target
mal.zip
-
Size
4.5MB
-
MD5
15a36183a2d2c4a43f7f203548fbcb04
-
SHA1
3ce2a3904eeef714abec465b55a0c20f6e47b079
-
SHA256
ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
-
SHA512
67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
-
SSDEEP
98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 1628 MsiExec.exe 1628 MsiExec.exe 1628 MsiExec.exe 1628 MsiExec.exe 1628 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 101 1628 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\e59d893.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID8F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA2C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDABA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDADB.tmp msiexec.exe File opened for modification C:\Windows\Installer\e59d893.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDA0B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA3C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{7DYJWJJG-5WYX-D1PV-Y0NY-AXWN09PCNPKD} msiexec.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3828 1628 WerFault.exe 123 1772 244 WerFault.exe 128 2528 3292 WerFault.exe 132 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4724 msiexec.exe 4724 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 1952 msiexec.exe Token: SeIncreaseQuotaPrivilege 1952 msiexec.exe Token: SeSecurityPrivilege 4724 msiexec.exe Token: SeCreateTokenPrivilege 1952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1952 msiexec.exe Token: SeLockMemoryPrivilege 1952 msiexec.exe Token: SeIncreaseQuotaPrivilege 1952 msiexec.exe Token: SeMachineAccountPrivilege 1952 msiexec.exe Token: SeTcbPrivilege 1952 msiexec.exe Token: SeSecurityPrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeLoadDriverPrivilege 1952 msiexec.exe Token: SeSystemProfilePrivilege 1952 msiexec.exe Token: SeSystemtimePrivilege 1952 msiexec.exe Token: SeProfSingleProcessPrivilege 1952 msiexec.exe Token: SeIncBasePriorityPrivilege 1952 msiexec.exe Token: SeCreatePagefilePrivilege 1952 msiexec.exe Token: SeCreatePermanentPrivilege 1952 msiexec.exe Token: SeBackupPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeShutdownPrivilege 1952 msiexec.exe Token: SeDebugPrivilege 1952 msiexec.exe Token: SeAuditPrivilege 1952 msiexec.exe Token: SeSystemEnvironmentPrivilege 1952 msiexec.exe Token: SeChangeNotifyPrivilege 1952 msiexec.exe Token: SeRemoteShutdownPrivilege 1952 msiexec.exe Token: SeUndockPrivilege 1952 msiexec.exe Token: SeSyncAgentPrivilege 1952 msiexec.exe Token: SeEnableDelegationPrivilege 1952 msiexec.exe Token: SeManageVolumePrivilege 1952 msiexec.exe Token: SeImpersonatePrivilege 1952 msiexec.exe Token: SeCreateGlobalPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe Token: SeRestorePrivilege 4724 msiexec.exe Token: SeTakeOwnershipPrivilege 4724 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1952 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1628 MsiExec.exe 1628 MsiExec.exe 1628 MsiExec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4724 wrote to memory of 1628 4724 msiexec.exe 123 PID 4724 wrote to memory of 1628 4724 msiexec.exe 123 PID 4724 wrote to memory of 1628 4724 msiexec.exe 123
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip1⤵PID:4520
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4788
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5EC4A117604576844B25538328EC98BF2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 10443⤵
- Program crash
PID:3828
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 651D85CAEAE1B8C1147B8FDF176079F52⤵PID:244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 10523⤵
- Program crash
PID:1772
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7A71BBDA08A5C2D3D986276E8D0D9CDB2⤵PID:3292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 10443⤵
- Program crash
PID:2528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1628 -ip 16281⤵PID:1544
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"1⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 244 -ip 2441⤵PID:4052
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"1⤵PID:2632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 32921⤵PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
93KB
MD54dd7d13bf96ba74f8dcae2e35b88d14b
SHA193a4b897c6d997e9fb5b581e7e28ad96ce55f3f3
SHA2560cd646e17b2c73ff124d381619c93df27edc91f42992210b7b278ed67793bbfc
SHA512a9529638f88f7ab0469b8c5eddda0bb66a453b258803570480fea3acff97608286f9bedc2ebef29c5706c8113a6343b698ef38d5a9e517a1b8683ac6af83bb5b
-
Filesize
92KB
MD56ab8165d3c4a3d66ad885dbd54adcb9a
SHA13ac08ee55156d1face02cf6d6223b3c7497774ac
SHA256cc38aedbb568784f89c4251e28de7a8b351954878792ee1945ef13e0faa26e05
SHA51207b0fb099faba14b0b9af72ca3fce1179cef284680feb611ff9b1f98c0dc04c2b884bcd6a91ab791ecc2e720aac24025942d72cb3abbcd40a3a98f497195d46c