Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 12:48

General

  • Target

    install.msi

  • Size

    3.3MB

  • MD5

    4e5903c4ff6d79dbad178815b377554d

  • SHA1

    74f50126aebbd186d6defa3641113cdc88a37fa2

  • SHA256

    d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46

  • SHA512

    9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8

  • SSDEEP

    98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg

Score
7/10

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:844
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADA863A7C034317451C08EFEDCA3F332
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2816
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2168
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf
        3⤵
          PID:1508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files"
          3⤵
            PID:2904
          • C:\Windows\SysWOW64\ICACLS.EXE
            "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\." /SETINTEGRITYLEVEL (CI)(OI)LOW
            3⤵
            • Modifies file permissions
            PID:2584
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000003D0"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2416

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files.cab

        Filesize

        3.1MB

        MD5

        c5251b4a0300ac59b9c51b39b48960ef

        SHA1

        1a9f4710e07aff28c8961b8bb4d5a525ea385e42

        SHA256

        4d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2

        SHA512

        a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76

      • C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files\install.exe

        Filesize

        17.4MB

        MD5

        ccdd9f0ac61884935d08e0d7153d64b1

        SHA1

        6bb497ff904c908698fe84782e6d001821016461

        SHA256

        40cc8405c8cfdd9e3945aa9925211eab6530174b721d933603037d62be974695

        SHA512

        f3ef9829422c53bad188bcb9ef540b031a857db00c318810d630fba8dc69e4580aaf7e5817624051998add315c23a740d58564860af23009d03535e2ed80fbb4

      • C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\msiwrapper.ini

        Filesize

        378B

        MD5

        4524354783ff302b9d276a4c1515a8a3

        SHA1

        998a6fb6417bf28b11c2c73b6ea7c7d2f4c67e23

        SHA256

        a939b426b5fc0a9125873185848f34a11ed91c7502f6828d20cc39b8b44a620d

        SHA512

        79e9e9930cee7c1dc6a4e9adee5d7096f680264aa1722f98c3493771eef15b773c8d5cf32650f6090f8ee42fbf872c2ef97448493bad305d5fec4f703ba53af2

      • C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\msiwrapper.ini

        Filesize

        1KB

        MD5

        c54a138f0fd664a16c5aae2e01662336

        SHA1

        3004454b9f723c304905cd0cf5bf1e2edef310d5

        SHA256

        0dfa1978d72e412d687034d92fc462920a7fe3912aaca3b75455eb989ba0fd7a

        SHA512

        5d8826fe4fbd6f1d962bb78cf659b7f16af4d94ff9cccaa4b2e3ef579db6e7ad955adfd4f6f06e7f89d62097f7ba4742289a1a3a41a0707df535f0678da76df8

      • C:\Windows\Installer\MSIA5F0.tmp

        Filesize

        208KB

        MD5

        4caaa03e0b59ca60a3d34674b732b702

        SHA1

        ee80c8f4684055ac8960b9720fb108be07e1d10c

        SHA256

        d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

        SHA512

        25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      • memory/1508-75-0x0000000000400000-0x0000000000401000-memory.dmp

        Filesize

        4KB