Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e.msi
Resource
win10v2004-20240226-en
General
-
Target
b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e.msi
-
Size
2.3MB
-
MD5
798e2c0dfd79867c67973832c8a09e74
-
SHA1
0ca5cef61d40fc0a03bf69f7de913b1fa8ac38fc
-
SHA256
b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e
-
SHA512
d777a453b248d18185463a025e8d67cf3748a62078a286d2568a51bf1f75ada08544deea8ca20af6df6b131f97f92d2756904a3ab323bae975bcf4554ed132da
-
SSDEEP
49152:hka9ibZ7ZKumZrRq4Fb6HXr1iWnYs4ntHurpllQ6a6uxtZZjhdnNnVY7nE2N/ET:6bzKZFnWnLuxBjvMEW/
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Loads dropped DLL 9 IoCs
pid Process 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe 2556 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2556 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1652 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeSecurityPrivilege 2592 msiexec.exe Token: SeCreateTokenPrivilege 1652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1652 msiexec.exe Token: SeLockMemoryPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeMachineAccountPrivilege 1652 msiexec.exe Token: SeTcbPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeTakeOwnershipPrivilege 1652 msiexec.exe Token: SeLoadDriverPrivilege 1652 msiexec.exe Token: SeSystemProfilePrivilege 1652 msiexec.exe Token: SeSystemtimePrivilege 1652 msiexec.exe Token: SeProfSingleProcessPrivilege 1652 msiexec.exe Token: SeIncBasePriorityPrivilege 1652 msiexec.exe Token: SeCreatePagefilePrivilege 1652 msiexec.exe Token: SeCreatePermanentPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 1652 msiexec.exe Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeDebugPrivilege 1652 msiexec.exe Token: SeAuditPrivilege 1652 msiexec.exe Token: SeSystemEnvironmentPrivilege 1652 msiexec.exe Token: SeChangeNotifyPrivilege 1652 msiexec.exe Token: SeRemoteShutdownPrivilege 1652 msiexec.exe Token: SeUndockPrivilege 1652 msiexec.exe Token: SeSyncAgentPrivilege 1652 msiexec.exe Token: SeEnableDelegationPrivilege 1652 msiexec.exe Token: SeManageVolumePrivilege 1652 msiexec.exe Token: SeImpersonatePrivilege 1652 msiexec.exe Token: SeCreateGlobalPrivilege 1652 msiexec.exe Token: SeCreateTokenPrivilege 1652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1652 msiexec.exe Token: SeLockMemoryPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeMachineAccountPrivilege 1652 msiexec.exe Token: SeTcbPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeTakeOwnershipPrivilege 1652 msiexec.exe Token: SeLoadDriverPrivilege 1652 msiexec.exe Token: SeSystemProfilePrivilege 1652 msiexec.exe Token: SeSystemtimePrivilege 1652 msiexec.exe Token: SeProfSingleProcessPrivilege 1652 msiexec.exe Token: SeIncBasePriorityPrivilege 1652 msiexec.exe Token: SeCreatePagefilePrivilege 1652 msiexec.exe Token: SeCreatePermanentPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 1652 msiexec.exe Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeDebugPrivilege 1652 msiexec.exe Token: SeAuditPrivilege 1652 msiexec.exe Token: SeSystemEnvironmentPrivilege 1652 msiexec.exe Token: SeChangeNotifyPrivilege 1652 msiexec.exe Token: SeRemoteShutdownPrivilege 1652 msiexec.exe Token: SeUndockPrivilege 1652 msiexec.exe Token: SeSyncAgentPrivilege 1652 msiexec.exe Token: SeEnableDelegationPrivilege 1652 msiexec.exe Token: SeManageVolumePrivilege 1652 msiexec.exe Token: SeImpersonatePrivilege 1652 msiexec.exe Token: SeCreateGlobalPrivilege 1652 msiexec.exe Token: SeCreateTokenPrivilege 1652 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1652 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2556 2592 msiexec.exe 29 PID 2592 wrote to memory of 2556 2592 msiexec.exe 29 PID 2592 wrote to memory of 2556 2592 msiexec.exe 29 PID 2592 wrote to memory of 2556 2592 msiexec.exe 29 PID 2592 wrote to memory of 2556 2592 msiexec.exe 29 PID 2592 wrote to memory of 2556 2592 msiexec.exe 29 PID 2592 wrote to memory of 2556 2592 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 910E4D86C9A38529DC8900C6DE9AF54E C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
897KB
MD56189cdcb92ab9ddbffd95facd0b631fa
SHA1b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf