Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 12:48
Static task
static1
Behavioral task
behavioral1
Sample
install.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
install.msi
Resource
win10v2004-20240221-en
General
-
Target
install.msi
-
Size
3.3MB
-
MD5
4e5903c4ff6d79dbad178815b377554d
-
SHA1
74f50126aebbd186d6defa3641113cdc88a37fa2
-
SHA256
d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
-
SHA512
9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
-
SSDEEP
98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2816 ICACLS.EXE 2584 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f76a44c.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76a44b.msi msiexec.exe File opened for modification C:\Windows\Installer\f76a44b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA5F0.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76a44c.ipi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2384 MsiExec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2684 msiexec.exe 2684 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 844 msiexec.exe Token: SeIncreaseQuotaPrivilege 844 msiexec.exe Token: SeRestorePrivilege 2684 msiexec.exe Token: SeTakeOwnershipPrivilege 2684 msiexec.exe Token: SeSecurityPrivilege 2684 msiexec.exe Token: SeCreateTokenPrivilege 844 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 844 msiexec.exe Token: SeLockMemoryPrivilege 844 msiexec.exe Token: SeIncreaseQuotaPrivilege 844 msiexec.exe Token: SeMachineAccountPrivilege 844 msiexec.exe Token: SeTcbPrivilege 844 msiexec.exe Token: SeSecurityPrivilege 844 msiexec.exe Token: SeTakeOwnershipPrivilege 844 msiexec.exe Token: SeLoadDriverPrivilege 844 msiexec.exe Token: SeSystemProfilePrivilege 844 msiexec.exe Token: SeSystemtimePrivilege 844 msiexec.exe Token: SeProfSingleProcessPrivilege 844 msiexec.exe Token: SeIncBasePriorityPrivilege 844 msiexec.exe Token: SeCreatePagefilePrivilege 844 msiexec.exe Token: SeCreatePermanentPrivilege 844 msiexec.exe Token: SeBackupPrivilege 844 msiexec.exe Token: SeRestorePrivilege 844 msiexec.exe Token: SeShutdownPrivilege 844 msiexec.exe Token: SeDebugPrivilege 844 msiexec.exe Token: SeAuditPrivilege 844 msiexec.exe Token: SeSystemEnvironmentPrivilege 844 msiexec.exe Token: SeChangeNotifyPrivilege 844 msiexec.exe Token: SeRemoteShutdownPrivilege 844 msiexec.exe Token: SeUndockPrivilege 844 msiexec.exe Token: SeSyncAgentPrivilege 844 msiexec.exe Token: SeEnableDelegationPrivilege 844 msiexec.exe Token: SeManageVolumePrivilege 844 msiexec.exe Token: SeImpersonatePrivilege 844 msiexec.exe Token: SeCreateGlobalPrivilege 844 msiexec.exe Token: SeBackupPrivilege 2128 vssvc.exe Token: SeRestorePrivilege 2128 vssvc.exe Token: SeAuditPrivilege 2128 vssvc.exe Token: SeBackupPrivilege 2684 msiexec.exe Token: SeRestorePrivilege 2684 msiexec.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2416 DrvInst.exe Token: SeLoadDriverPrivilege 2416 DrvInst.exe Token: SeLoadDriverPrivilege 2416 DrvInst.exe Token: SeLoadDriverPrivilege 2416 DrvInst.exe Token: SeRestorePrivilege 2684 msiexec.exe Token: SeTakeOwnershipPrivilege 2684 msiexec.exe Token: SeRestorePrivilege 2684 msiexec.exe Token: SeTakeOwnershipPrivilege 2684 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 844 msiexec.exe 844 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2684 wrote to memory of 2384 2684 msiexec.exe 32 PID 2384 wrote to memory of 2816 2384 MsiExec.exe 33 PID 2384 wrote to memory of 2816 2384 MsiExec.exe 33 PID 2384 wrote to memory of 2816 2384 MsiExec.exe 33 PID 2384 wrote to memory of 2816 2384 MsiExec.exe 33 PID 2384 wrote to memory of 2168 2384 MsiExec.exe 35 PID 2384 wrote to memory of 2168 2384 MsiExec.exe 35 PID 2384 wrote to memory of 2168 2384 MsiExec.exe 35 PID 2384 wrote to memory of 2168 2384 MsiExec.exe 35 PID 2384 wrote to memory of 1508 2384 MsiExec.exe 37 PID 2384 wrote to memory of 1508 2384 MsiExec.exe 37 PID 2384 wrote to memory of 1508 2384 MsiExec.exe 37 PID 2384 wrote to memory of 1508 2384 MsiExec.exe 37 PID 2384 wrote to memory of 2904 2384 MsiExec.exe 39 PID 2384 wrote to memory of 2904 2384 MsiExec.exe 39 PID 2384 wrote to memory of 2904 2384 MsiExec.exe 39 PID 2384 wrote to memory of 2904 2384 MsiExec.exe 39 PID 2384 wrote to memory of 2584 2384 MsiExec.exe 41 PID 2384 wrote to memory of 2584 2384 MsiExec.exe 41 PID 2384 wrote to memory of 2584 2384 MsiExec.exe 41 PID 2384 wrote to memory of 2584 2384 MsiExec.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:844
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA863A7C034317451C08EFEDCA3F3322⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2816
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf3⤵PID:1508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\files"3⤵PID:2904
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-15d3f75d-eb68-421f-b3e6-9c2e0c64d25f\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:2584
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000003D0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c5251b4a0300ac59b9c51b39b48960ef
SHA11a9f4710e07aff28c8961b8bb4d5a525ea385e42
SHA2564d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2
SHA512a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76
-
Filesize
17.4MB
MD5ccdd9f0ac61884935d08e0d7153d64b1
SHA16bb497ff904c908698fe84782e6d001821016461
SHA25640cc8405c8cfdd9e3945aa9925211eab6530174b721d933603037d62be974695
SHA512f3ef9829422c53bad188bcb9ef540b031a857db00c318810d630fba8dc69e4580aaf7e5817624051998add315c23a740d58564860af23009d03535e2ed80fbb4
-
Filesize
378B
MD54524354783ff302b9d276a4c1515a8a3
SHA1998a6fb6417bf28b11c2c73b6ea7c7d2f4c67e23
SHA256a939b426b5fc0a9125873185848f34a11ed91c7502f6828d20cc39b8b44a620d
SHA51279e9e9930cee7c1dc6a4e9adee5d7096f680264aa1722f98c3493771eef15b773c8d5cf32650f6090f8ee42fbf872c2ef97448493bad305d5fec4f703ba53af2
-
Filesize
1KB
MD5c54a138f0fd664a16c5aae2e01662336
SHA13004454b9f723c304905cd0cf5bf1e2edef310d5
SHA2560dfa1978d72e412d687034d92fc462920a7fe3912aaca3b75455eb989ba0fd7a
SHA5125d8826fe4fbd6f1d962bb78cf659b7f16af4d94ff9cccaa4b2e3ef579db6e7ad955adfd4f6f06e7f89d62097f7ba4742289a1a3a41a0707df535f0678da76df8
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34