Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f.msi
Resource
win10v2004-20240226-en
General
-
Target
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f.msi
-
Size
1.4MB
-
MD5
ec183d55d6c11480bc167da468a526fa
-
SHA1
e4315009a338b527d7b65bd557be404b9f55d284
-
SHA256
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f
-
SHA512
03d6fa94994b642ed753827d13aafa4bc61580102c4fa1fb8861d391f8b3b62e0d90a1328b9f10af1c00a443f43a69a3085068356906e46bb53d70df30e29cf3
-
SSDEEP
24576:gfPxLNvYLSMvZCFlp8zBQSc0ZoCvqKwx0ECIgYmfLVYeBZr7AgrukBho6l:gf/vYpW8zBQSc0ZnSKeZKumZr7AZqhDl
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6254.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62E1.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{4A88E1DD-9150-4E48-BE8A-4A9096C30BEC} msiexec.exe File opened for modification C:\Windows\Installer\MSI6350.tmp msiexec.exe File created C:\Windows\Installer\e576215.msi msiexec.exe File opened for modification C:\Windows\Installer\e576215.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI639F.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4068 MSI639F.tmp -
Loads dropped DLL 10 IoCs
pid Process 3184 MsiExec.exe 3184 MsiExec.exe 3184 MsiExec.exe 3184 MsiExec.exe 3184 MsiExec.exe 3184 MsiExec.exe 4088 MsiExec.exe 4088 MsiExec.exe 4952 rundll32.exe 3200 rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3740 msiexec.exe 3740 msiexec.exe 4068 MSI639F.tmp 4068 MSI639F.tmp 4952 rundll32.exe 4952 rundll32.exe 4952 rundll32.exe 4952 rundll32.exe 3200 rundll32.exe 3200 rundll32.exe 3200 rundll32.exe 3200 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3772 msiexec.exe Token: SeIncreaseQuotaPrivilege 3772 msiexec.exe Token: SeSecurityPrivilege 3740 msiexec.exe Token: SeCreateTokenPrivilege 3772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3772 msiexec.exe Token: SeLockMemoryPrivilege 3772 msiexec.exe Token: SeIncreaseQuotaPrivilege 3772 msiexec.exe Token: SeMachineAccountPrivilege 3772 msiexec.exe Token: SeTcbPrivilege 3772 msiexec.exe Token: SeSecurityPrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeLoadDriverPrivilege 3772 msiexec.exe Token: SeSystemProfilePrivilege 3772 msiexec.exe Token: SeSystemtimePrivilege 3772 msiexec.exe Token: SeProfSingleProcessPrivilege 3772 msiexec.exe Token: SeIncBasePriorityPrivilege 3772 msiexec.exe Token: SeCreatePagefilePrivilege 3772 msiexec.exe Token: SeCreatePermanentPrivilege 3772 msiexec.exe Token: SeBackupPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeShutdownPrivilege 3772 msiexec.exe Token: SeDebugPrivilege 3772 msiexec.exe Token: SeAuditPrivilege 3772 msiexec.exe Token: SeSystemEnvironmentPrivilege 3772 msiexec.exe Token: SeChangeNotifyPrivilege 3772 msiexec.exe Token: SeRemoteShutdownPrivilege 3772 msiexec.exe Token: SeUndockPrivilege 3772 msiexec.exe Token: SeSyncAgentPrivilege 3772 msiexec.exe Token: SeEnableDelegationPrivilege 3772 msiexec.exe Token: SeManageVolumePrivilege 3772 msiexec.exe Token: SeImpersonatePrivilege 3772 msiexec.exe Token: SeCreateGlobalPrivilege 3772 msiexec.exe Token: SeCreateTokenPrivilege 3772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3772 msiexec.exe Token: SeLockMemoryPrivilege 3772 msiexec.exe Token: SeIncreaseQuotaPrivilege 3772 msiexec.exe Token: SeMachineAccountPrivilege 3772 msiexec.exe Token: SeTcbPrivilege 3772 msiexec.exe Token: SeSecurityPrivilege 3772 msiexec.exe Token: SeTakeOwnershipPrivilege 3772 msiexec.exe Token: SeLoadDriverPrivilege 3772 msiexec.exe Token: SeSystemProfilePrivilege 3772 msiexec.exe Token: SeSystemtimePrivilege 3772 msiexec.exe Token: SeProfSingleProcessPrivilege 3772 msiexec.exe Token: SeIncBasePriorityPrivilege 3772 msiexec.exe Token: SeCreatePagefilePrivilege 3772 msiexec.exe Token: SeCreatePermanentPrivilege 3772 msiexec.exe Token: SeBackupPrivilege 3772 msiexec.exe Token: SeRestorePrivilege 3772 msiexec.exe Token: SeShutdownPrivilege 3772 msiexec.exe Token: SeDebugPrivilege 3772 msiexec.exe Token: SeAuditPrivilege 3772 msiexec.exe Token: SeSystemEnvironmentPrivilege 3772 msiexec.exe Token: SeChangeNotifyPrivilege 3772 msiexec.exe Token: SeRemoteShutdownPrivilege 3772 msiexec.exe Token: SeUndockPrivilege 3772 msiexec.exe Token: SeSyncAgentPrivilege 3772 msiexec.exe Token: SeEnableDelegationPrivilege 3772 msiexec.exe Token: SeManageVolumePrivilege 3772 msiexec.exe Token: SeImpersonatePrivilege 3772 msiexec.exe Token: SeCreateGlobalPrivilege 3772 msiexec.exe Token: SeCreateTokenPrivilege 3772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3772 msiexec.exe Token: SeLockMemoryPrivilege 3772 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3772 msiexec.exe 3772 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3740 wrote to memory of 3184 3740 msiexec.exe 90 PID 3740 wrote to memory of 3184 3740 msiexec.exe 90 PID 3740 wrote to memory of 3184 3740 msiexec.exe 90 PID 3740 wrote to memory of 1784 3740 msiexec.exe 101 PID 3740 wrote to memory of 1784 3740 msiexec.exe 101 PID 3740 wrote to memory of 4088 3740 msiexec.exe 103 PID 3740 wrote to memory of 4088 3740 msiexec.exe 103 PID 3740 wrote to memory of 4088 3740 msiexec.exe 103 PID 3740 wrote to memory of 4068 3740 msiexec.exe 104 PID 3740 wrote to memory of 4068 3740 msiexec.exe 104 PID 3740 wrote to memory of 4068 3740 msiexec.exe 104 PID 4952 wrote to memory of 3200 4952 rundll32.exe 106 PID 4952 wrote to memory of 3200 4952 rundll32.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3772
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4F99724F22942F318FAA040C8D9790F4 C2⤵
- Loads dropped DLL
PID:3184
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1784
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B17B66824E1982222488CC2F6D6AB7272⤵
- Loads dropped DLL
PID:4088
-
-
C:\Windows\Installer\MSI639F.tmp"C:\Windows\Installer\MSI639F.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\stat\falcon.dll, vgml2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4860
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\stat\falcon.dll, vgml1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\System32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_f70fbdc2.dll", vgml2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57b5f8c7afcb532ab48d45d6b7fe9e4b4
SHA15535718d11e02ea00eeeb99c910da335c3ef8203
SHA2567247e168d1aef453edd91565b2d35a0dc3444d5859b9d877b90e5e7df4c1e107
SHA512677fa1afee07978a134fafc9f4ec216b885dda491f20687b880885999d5a4a1441b786241591c795f68f600c4bc2d8c60ee3a1d715fd9afed2450b36a0a4489d
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
64KB
MD5689eeeb4882c9abef6130c7e01fefa55
SHA145c1b62ee8cf62ae4ffaaa33aea5b47b373372ac
SHA256cb72f1067fbf62ed57ad7a33854f5cfb2f4cff21060e97abb7bba0436d9fd7ca
SHA51270924ac8e561481acf54624902dda727d2c586317f1e7d0dc367af23a0b28380cfe791aeb21cf729a3ac5577dccdf8e1724fa38ab6d37811835b0139eb525830
-
Filesize
469KB
MD5e27c6586dba78d5d302589f3b231be40
SHA1305031a6d93a744cf61552ab673ddb27843ee845
SHA2563b63ea8b6f9b2aa847faa11f6cd3eb281abd9b9cceedb570713c4d78a47de567
SHA5121f0c126e38eed21ee51e04ebe4717fcbb3545d9ccdcc24ba0125f82c5f9b94d1406cbf3ba9f58958e4f180bdd6931bc3a3cb5390de990f8265baabfd414f89c2
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04
-
Filesize
23.7MB
MD54187b5b9dd5eab5cd3c2fdde9d85c787
SHA1914bee4dcbac22cfa5963aa65923adeb188a544a
SHA2565906d100964bc8daf85bd633afbf0a616887809767a6ff1c7a06a0e716d8b026
SHA512690c9de974bee690eb7fc04b4d9dedac38c98b45c5ad666d77a779ef67519a2ea84a9af024134627c06ad255964f04dec2f476127af4690224cfaa64ac56fd03
-
\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{64ad5972-161d-4f1d-86b3-7b46d9b06a1c}_OnDiskSnapshotProp
Filesize6KB
MD508867690f693adc77f49b4689ea9e8d0
SHA18f8815076b0416230dc500fdf0de41f74c6b89f7
SHA256811999c390a0f574570f5a39f7a3b1b6eb149c3e498d90680821a67102190b0d
SHA512ed54c48ff105474a176e1ce065c98dbccefbba54351aa3be51273b33287d3dd63b21229880aed3e10a4537d5968ea393a852f9ba0a7a87625fba5dd803bcaa40