Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/01/2024, 04:17
240111-ewj4tsfcf9 711/01/2024, 04:09
240111-eq4laafbg6 710/01/2024, 02:48
240110-darq4scdbn 710/01/2024, 02:33
240110-c2bcrscbfl 710/01/2024, 02:10
240110-cls8msdaf5 110/01/2024, 01:31
240110-bxfw1scec5 1Analysis
-
max time kernel
225s -
max time network
221s -
platform
windows7_x64 -
resource
win7-20231215-es -
resource tags
arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows -
submitted
11/01/2024, 04:17
Static task
static1
Behavioral task
behavioral1
Sample
mal.zip
Resource
win7-20231215-es
Behavioral task
behavioral2
Sample
mal.zip
Resource
win10v2004-20231215-es
General
-
Target
mal.zip
-
Size
4.5MB
-
MD5
15a36183a2d2c4a43f7f203548fbcb04
-
SHA1
3ce2a3904eeef714abec465b55a0c20f6e47b079
-
SHA256
ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
-
SHA512
67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
-
SSDEEP
98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2992 MsiExec.exe 2992 MsiExec.exe 2992 MsiExec.exe 2992 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2992 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\f77aa24.msi msiexec.exe File opened for modification C:\Windows\Installer\f77aa24.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAEC7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICD22.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICD81.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAAA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAF83.tmp msiexec.exe File created C:\Windows\Installer\f77aa27.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2900 msiexec.exe 2900 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 2648 msiexec.exe Token: SeIncreaseQuotaPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeSecurityPrivilege 2900 msiexec.exe Token: SeCreateTokenPrivilege 2648 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2648 msiexec.exe Token: SeLockMemoryPrivilege 2648 msiexec.exe Token: SeIncreaseQuotaPrivilege 2648 msiexec.exe Token: SeMachineAccountPrivilege 2648 msiexec.exe Token: SeTcbPrivilege 2648 msiexec.exe Token: SeSecurityPrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeLoadDriverPrivilege 2648 msiexec.exe Token: SeSystemProfilePrivilege 2648 msiexec.exe Token: SeSystemtimePrivilege 2648 msiexec.exe Token: SeProfSingleProcessPrivilege 2648 msiexec.exe Token: SeIncBasePriorityPrivilege 2648 msiexec.exe Token: SeCreatePagefilePrivilege 2648 msiexec.exe Token: SeCreatePermanentPrivilege 2648 msiexec.exe Token: SeBackupPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeShutdownPrivilege 2648 msiexec.exe Token: SeDebugPrivilege 2648 msiexec.exe Token: SeAuditPrivilege 2648 msiexec.exe Token: SeSystemEnvironmentPrivilege 2648 msiexec.exe Token: SeChangeNotifyPrivilege 2648 msiexec.exe Token: SeRemoteShutdownPrivilege 2648 msiexec.exe Token: SeUndockPrivilege 2648 msiexec.exe Token: SeSyncAgentPrivilege 2648 msiexec.exe Token: SeEnableDelegationPrivilege 2648 msiexec.exe Token: SeManageVolumePrivilege 2648 msiexec.exe Token: SeImpersonatePrivilege 2648 msiexec.exe Token: SeCreateGlobalPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2648 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2992 MsiExec.exe 2992 MsiExec.exe 2992 MsiExec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2992 2900 msiexec.exe 37 PID 2900 wrote to memory of 2992 2900 msiexec.exe 37 PID 2900 wrote to memory of 2992 2900 msiexec.exe 37 PID 2900 wrote to memory of 2992 2900 msiexec.exe 37 PID 2900 wrote to memory of 2992 2900 msiexec.exe 37 PID 2900 wrote to memory of 2992 2900 msiexec.exe 37 PID 2900 wrote to memory of 2992 2900 msiexec.exe 37
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip1⤵PID:2472
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2796
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2648
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7512015DC8EE1B72498F127DE0071BA2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
1.5MB
MD50fe8a187f05057815daa5b753259693d
SHA1565ddd946b6d9a5125cc0493931aa658824652bb
SHA256a0c545392c7498f213c0cb4eaf9fb65611aabd06f1d69e2ca9b9e4b9f466cf5a
SHA51257bcb97dee0019191148feb8e4f8bd796e350734e3bcc47e511d79a25086d312b7bc1cb887654f31e14368308128354255b654d6bdb330a6c4af86f434ab3648
-
Filesize
862KB
MD59a4ef4d1ad0c94a170f694426d92606f
SHA1737b357f5e7482bb42c271dc2c20aadeb1f66294
SHA256c1427d4ad9f5bf9a57136746125aa5c125d470181b7d8005787be1cfb6f17310
SHA512c7a59d3f5b76eb817a567b0825e9a8447b741cca26599841417535a458c910188749d1991d7c7b26c80e4719b564f79baa09a7166c8cea536051da561e25ccca