Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
c7f61bcdad06be4d2f14d67f428765cd.msi
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c7f61bcdad06be4d2f14d67f428765cd.msi
Resource
win10v2004-20240226-en
General
-
Target
c7f61bcdad06be4d2f14d67f428765cd.msi
-
Size
8.0MB
-
MD5
c7f61bcdad06be4d2f14d67f428765cd
-
SHA1
ee4b725f594c985697692ee73be4630f0319bf3b
-
SHA256
75fb4eb817f922245e1efb31e4209363693da76993b30466e4059b50ab1e80be
-
SHA512
d2e688c27283c185da386923b964ec723be2a6d247a69c1213bc7f81ddc90c806f4cdb63b93fe8f9bdaf01b7e7284e989b4384895cd6a6872f12c6c41bdf90b4
-
SSDEEP
98304:qOYaA5EMVUi/7N7t8w+L0787OqOVHnEGVA74cHwKe:q1Bp8z7KP+
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\f75fec9.msi msiexec.exe File opened for modification C:\Windows\Installer\f75fec9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICE.tmp msiexec.exe File opened for modification C:\Windows\Installer\f75fecc.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIFF26.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFFB4.tmp msiexec.exe File created C:\Windows\Installer\f75fecc.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDE.tmp msiexec.exe -
Loads dropped DLL 3 IoCs
pid Process 2540 MsiExec.exe 2540 MsiExec.exe 2540 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2568 msiexec.exe 2568 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2916 msiexec.exe Token: SeIncreaseQuotaPrivilege 2916 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeSecurityPrivilege 2568 msiexec.exe Token: SeCreateTokenPrivilege 2916 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2916 msiexec.exe Token: SeLockMemoryPrivilege 2916 msiexec.exe Token: SeIncreaseQuotaPrivilege 2916 msiexec.exe Token: SeMachineAccountPrivilege 2916 msiexec.exe Token: SeTcbPrivilege 2916 msiexec.exe Token: SeSecurityPrivilege 2916 msiexec.exe Token: SeTakeOwnershipPrivilege 2916 msiexec.exe Token: SeLoadDriverPrivilege 2916 msiexec.exe Token: SeSystemProfilePrivilege 2916 msiexec.exe Token: SeSystemtimePrivilege 2916 msiexec.exe Token: SeProfSingleProcessPrivilege 2916 msiexec.exe Token: SeIncBasePriorityPrivilege 2916 msiexec.exe Token: SeCreatePagefilePrivilege 2916 msiexec.exe Token: SeCreatePermanentPrivilege 2916 msiexec.exe Token: SeBackupPrivilege 2916 msiexec.exe Token: SeRestorePrivilege 2916 msiexec.exe Token: SeShutdownPrivilege 2916 msiexec.exe Token: SeDebugPrivilege 2916 msiexec.exe Token: SeAuditPrivilege 2916 msiexec.exe Token: SeSystemEnvironmentPrivilege 2916 msiexec.exe Token: SeChangeNotifyPrivilege 2916 msiexec.exe Token: SeRemoteShutdownPrivilege 2916 msiexec.exe Token: SeUndockPrivilege 2916 msiexec.exe Token: SeSyncAgentPrivilege 2916 msiexec.exe Token: SeEnableDelegationPrivilege 2916 msiexec.exe Token: SeManageVolumePrivilege 2916 msiexec.exe Token: SeImpersonatePrivilege 2916 msiexec.exe Token: SeCreateGlobalPrivilege 2916 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2916 msiexec.exe 2916 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2540 2568 msiexec.exe 29 PID 2568 wrote to memory of 2540 2568 msiexec.exe 29 PID 2568 wrote to memory of 2540 2568 msiexec.exe 29 PID 2568 wrote to memory of 2540 2568 msiexec.exe 29 PID 2568 wrote to memory of 2540 2568 msiexec.exe 29 PID 2568 wrote to memory of 2540 2568 msiexec.exe 29 PID 2568 wrote to memory of 2540 2568 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7f61bcdad06be4d2f14d67f428765cd.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2916
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C57D0A1C1F329D44EDE81209FCE0EEB2⤵
- Loads dropped DLL
PID:2540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
720B
MD5627d68567c4daeb93a5332785585a7cb
SHA1dc4aa13f73b1c905971e43ba787585aa32250431
SHA256451b1357cba5116db332b1916f69ecc4a968fdabf967f686e99d7ab8f384b31a
SHA5122431cbb03d824edc7d717eac9eaee79ff2b24533752019ad8e022931e4b886def7c35aa846049cfa1e93702c4df2ff8309f73fcb14cd62862e27797fa31684e3
-
Filesize
7.7MB
MD53bcad32dbb1b865476c1f86da4044100
SHA120df7a47826a8b21d0d3bad464c6b90055800972
SHA256f0916585db46a13b63e0b564a5558d3534d46e6423a2c53792837f431439d763
SHA5126600f6b03f30d8d2ade51d15ace3f1d97c2cfaaa752a2ea4682b12512ff517595a0b96d1dd017f0a9e51967b71fdfe176b576557c3d39fe0ce12cf37ca2113d1
-
Filesize
91KB
MD59f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b