Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-es -
resource tags
arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows -
submitted
13/03/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
BVGQVFC-92845Ref-UVLDD9259338142.msi
Resource
win7-20240221-es
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
BVGQVFC-92845Ref-UVLDD9259338142.msi
Resource
win10v2004-20240226-es
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral3
Sample
_________________________________________________________________________24144ULJRY06378DTAIJ.dll
Resource
win7-20240221-es
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
_________________________________________________________________________24144ULJRY06378DTAIJ.dll
Resource
win10v2004-20240226-es
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
BVGQVFC-92845Ref-UVLDD9259338142.msi
-
Size
12.5MB
-
MD5
395f6fb782949263cd15e0a1ed131d65
-
SHA1
67bd4dea0da0d667464be026a710b92a25531c5a
-
SHA256
47eee2815a27c49b230bdf661f938068c5d3347c37ada6bf5940b1f6fc98288c
-
SHA512
1251ac9278d87f4e2d97635787a0d3ff5c7f105692a73ecc39e8890e6f488473ad8c96464baf530719f446fe5a6923518b4ec52de0755475044a9b734d07f659
-
SSDEEP
98304:8O+IroUnDAN1baX4brxnmDQXNAdXKIX04WDXkK++F8fVPkPf0:8crdGaeADQXcX0bkSyGX
Score
6/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2548 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\f76b5b8.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC075.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC0C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76b5b8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB645.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB8A6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB953.tmp msiexec.exe File created C:\Windows\Installer\f76b5bb.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76b5bb.ipi msiexec.exe -
Loads dropped DLL 4 IoCs
pid Process 2548 MsiExec.exe 2548 MsiExec.exe 2548 MsiExec.exe 2548 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2864 msiexec.exe 2864 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 2340 msiexec.exe Token: SeIncreaseQuotaPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeSecurityPrivilege 2864 msiexec.exe Token: SeCreateTokenPrivilege 2340 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2340 msiexec.exe Token: SeLockMemoryPrivilege 2340 msiexec.exe Token: SeIncreaseQuotaPrivilege 2340 msiexec.exe Token: SeMachineAccountPrivilege 2340 msiexec.exe Token: SeTcbPrivilege 2340 msiexec.exe Token: SeSecurityPrivilege 2340 msiexec.exe Token: SeTakeOwnershipPrivilege 2340 msiexec.exe Token: SeLoadDriverPrivilege 2340 msiexec.exe Token: SeSystemProfilePrivilege 2340 msiexec.exe Token: SeSystemtimePrivilege 2340 msiexec.exe Token: SeProfSingleProcessPrivilege 2340 msiexec.exe Token: SeIncBasePriorityPrivilege 2340 msiexec.exe Token: SeCreatePagefilePrivilege 2340 msiexec.exe Token: SeCreatePermanentPrivilege 2340 msiexec.exe Token: SeBackupPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2340 msiexec.exe Token: SeShutdownPrivilege 2340 msiexec.exe Token: SeDebugPrivilege 2340 msiexec.exe Token: SeAuditPrivilege 2340 msiexec.exe Token: SeSystemEnvironmentPrivilege 2340 msiexec.exe Token: SeChangeNotifyPrivilege 2340 msiexec.exe Token: SeRemoteShutdownPrivilege 2340 msiexec.exe Token: SeUndockPrivilege 2340 msiexec.exe Token: SeSyncAgentPrivilege 2340 msiexec.exe Token: SeEnableDelegationPrivilege 2340 msiexec.exe Token: SeManageVolumePrivilege 2340 msiexec.exe Token: SeImpersonatePrivilege 2340 msiexec.exe Token: SeCreateGlobalPrivilege 2340 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2340 msiexec.exe 2340 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2548 MsiExec.exe 2548 MsiExec.exe 2548 MsiExec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2548 2864 msiexec.exe 29 PID 2864 wrote to memory of 2548 2864 msiexec.exe 29 PID 2864 wrote to memory of 2548 2864 msiexec.exe 29 PID 2864 wrote to memory of 2548 2864 msiexec.exe 29 PID 2864 wrote to memory of 2548 2864 msiexec.exe 29 PID 2864 wrote to memory of 2548 2864 msiexec.exe 29 PID 2864 wrote to memory of 2548 2864 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BVGQVFC-92845Ref-UVLDD9259338142.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2340
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 99B291762717B203C059DCC14766A7F42⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD53b171ce087bb799aafcbbd93bab27f71
SHA17bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA5127700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38
-
Filesize
11.4MB
MD5cf00406641c9879e0696dd8a4040347e
SHA182719bffc3d009e093a7a8addb1993bd301563c0
SHA2567c810393527bd500ca32b7ff2123a59a3240c79ee62689d583030827043117c8
SHA512ed96a4dcbd3585518555ae4f42ed766fff2c092b73f8ba70c7f7ef37ea3f4564dcde59ac23b2bca355a7440429b9a0f3365717a5550662784769345816a5cfad