Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 02:56
Static task
static1
Behavioral task
behavioral1
Sample
bbb45077f52c14bda8e240fc2e94e36efc1d45c24a40f51a4ed7f506126d4c36.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bbb45077f52c14bda8e240fc2e94e36efc1d45c24a40f51a4ed7f506126d4c36.msi
Resource
win10v2004-20240426-en
General
-
Target
bbb45077f52c14bda8e240fc2e94e36efc1d45c24a40f51a4ed7f506126d4c36.msi
-
Size
35.0MB
-
MD5
94089be88986618b7be913ee8b0d8a67
-
SHA1
377ecca72bbdf278cb2a15531188e14eb59145e4
-
SHA256
bbb45077f52c14bda8e240fc2e94e36efc1d45c24a40f51a4ed7f506126d4c36
-
SHA512
84d0ec6948a1f511bfe0d25af19cb015ee1efe4351706f15587aee56f45e3a91abc4f40a0f3e8894deaf789deb04b46135deeba20c4a34dfec08d595e2b71987
-
SSDEEP
786432:Ilk27h2QVu9cCct5rB9rIX9gW6cnzELhEe2x53gp2KM:IlfA+ptO2Cnne2xU2
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 8 2824 msiexec.exe 9 2824 msiexec.exe 19 2824 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e576419.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI660E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI67B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI78EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{23C65860-7C89-4DF2-A86C-D1816899DAD3} msiexec.exe File created C:\Windows\Installer\e576419.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI661E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI662F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6844.tmp msiexec.exe File created C:\Windows\Installer\e57641d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6561.tmp msiexec.exe -
Loads dropped DLL 6 IoCs
pid Process 3148 MsiExec.exe 3148 MsiExec.exe 3148 MsiExec.exe 3148 MsiExec.exe 3148 MsiExec.exe 3148 MsiExec.exe -
pid Process 3768 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe 1648 msiexec.exe 1648 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 1648 msiexec.exe Token: SeCreateTokenPrivilege 2824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2824 msiexec.exe Token: SeLockMemoryPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeMachineAccountPrivilege 2824 msiexec.exe Token: SeTcbPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 2824 msiexec.exe Token: SeTakeOwnershipPrivilege 2824 msiexec.exe Token: SeLoadDriverPrivilege 2824 msiexec.exe Token: SeSystemProfilePrivilege 2824 msiexec.exe Token: SeSystemtimePrivilege 2824 msiexec.exe Token: SeProfSingleProcessPrivilege 2824 msiexec.exe Token: SeIncBasePriorityPrivilege 2824 msiexec.exe Token: SeCreatePagefilePrivilege 2824 msiexec.exe Token: SeCreatePermanentPrivilege 2824 msiexec.exe Token: SeBackupPrivilege 2824 msiexec.exe Token: SeRestorePrivilege 2824 msiexec.exe Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeDebugPrivilege 2824 msiexec.exe Token: SeAuditPrivilege 2824 msiexec.exe Token: SeSystemEnvironmentPrivilege 2824 msiexec.exe Token: SeChangeNotifyPrivilege 2824 msiexec.exe Token: SeRemoteShutdownPrivilege 2824 msiexec.exe Token: SeUndockPrivilege 2824 msiexec.exe Token: SeSyncAgentPrivilege 2824 msiexec.exe Token: SeEnableDelegationPrivilege 2824 msiexec.exe Token: SeManageVolumePrivilege 2824 msiexec.exe Token: SeImpersonatePrivilege 2824 msiexec.exe Token: SeCreateGlobalPrivilege 2824 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeDebugPrivilege 3768 powershell.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2824 msiexec.exe 2824 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1648 wrote to memory of 3148 1648 msiexec.exe 90 PID 1648 wrote to memory of 3148 1648 msiexec.exe 90 PID 1648 wrote to memory of 3148 1648 msiexec.exe 90 PID 3148 wrote to memory of 3768 3148 MsiExec.exe 95 PID 3148 wrote to memory of 3768 3148 MsiExec.exe 95 PID 3148 wrote to memory of 3768 3148 MsiExec.exe 95
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bbb45077f52c14bda8e240fc2e94e36efc1d45c24a40f51a4ed7f506126d4c36.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 530C083810F7601B13597EBA48B8B7232⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6AF2.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi6AEF.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr6AF0.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr6AF1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5c0a85eac7143c2a173032eb49bc17c7a
SHA100cf412ca956d1938093c29c9968044529379188
SHA2566353429bdfe7fd42a0350076107d6f8e7cf0b954a5d283defb727c9f1b36e4a2
SHA512ebe88266441927d12fce9bb79796cc28d0b1c72ca7dd81641ce81ea79581cf7d25a53ab194e690197fec006e1780594703f6b8f1ee19f273e46eea38a0176bc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E049417E5C2A0ECD64032982D0A31504
Filesize1KB
MD509a503f2cd5a8b03d815617332b3a135
SHA1adaeeece9b8092415a1ff15b367e3621e2fa6470
SHA256aece3cd2e86a56c689a87316786b4dae3ccf00edc52d5a59f93b1b6948c98caf
SHA5129664209a16c01c1ee3f85db5f4cf1559d7f0d59b26bd39045d363dee3468e763c14c7a748198e627092681be6679c94f22e2ae9b92189cc96a1d119197d7964b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5ede73b901e0d3d0278803d3308d3c92d
SHA13b801b80ae63d1e481d15160c3c107cbbaaf1598
SHA256882b12505a9d8a895a0a3c1f0ec4430516d0165549ee4f1f63a26983727c2b33
SHA5121795ed50d73873974b9fbcad20c922aebc83bc6120ef9aa4ddb4a3005b5fa2696acdb64dea2beed0a715cfe6a3206faed462c16aa31e3454a870f4dbd65ffccd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_E049417E5C2A0ECD64032982D0A31504
Filesize536B
MD53fa6a4c64adf40809811719e85aad913
SHA191f4b704c930942bbebfe3d95ee1193b67615213
SHA2560c0d1a46f23a4d4ade7562aebd36f8c07b7f53a86d58977c8e98e7260585206d
SHA512934da2b9f5152e05cb7c1fc1223caa8c5627226b272b3e9a0aa86c835d927de11f5e5afebc86e90ed2e5ba790713da9f41cd8a7ef7c4425e662a65907f0ede0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD525b85bc9d13e453f849e9094fdf8090e
SHA13e3ddd28868cdeaa499f7195b63c2ad2c32ddcf3
SHA2568df2007425ba06eb73ed19dd44fe031ea43903ef9abe77eddb396dbe5c124045
SHA512de2c69081b6ba9503f9a4de8de343b6f470020f2e593eceaff981235b73ad8344467abf66ee9997f275e468b41d184afa2fa3ef6436ad1b79afdf55f6adf018f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
54B
MD5db420131f396adc6189eb74ccab4ef61
SHA1f7a0653289e00ae8a37836e4bb0c484a5434f4db
SHA25620712a091c0903c153ec0394f349e4e687fc16980c77434fab8af6c768b4de22
SHA5128f29ec5eae268faa330bc71859bada8e36b6f53e27d819dff04451de2cb644307c80f64f71b5768906a6c5eb28e5e77f4a1b23dde01bbfa0e6b9575c4fd92f73
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
558B
MD532aaf95e81f7c25950c11c53615c753a
SHA1603ae202e859261d2ea09ac44f84d98a44007316
SHA256e523cdefc4d381fd0bb040f80f8ebcba9a022c7b731d1e3fba27ef0ad8643a58
SHA5124076c6b5a77ebc5c5e02c28269cf4751644a508c9661806e7560664e9c9379c808ca8c0860e6efd4ea3c837edbcbc4b20060413012e5f446f17a44efcef517db
-
Filesize
975KB
MD524dac6152c216a1b7b1afef7c36e2b65
SHA1a832467931f07b3f41772d89feb194a90be4119b
SHA256784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449
SHA512b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
758KB
MD5fb4665320c9da54598321c59cc5ed623
SHA189e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA2569fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf
-
Filesize
35.0MB
MD594089be88986618b7be913ee8b0d8a67
SHA1377ecca72bbdf278cb2a15531188e14eb59145e4
SHA256bbb45077f52c14bda8e240fc2e94e36efc1d45c24a40f51a4ed7f506126d4c36
SHA51284d0ec6948a1f511bfe0d25af19cb015ee1efe4351706f15587aee56f45e3a91abc4f40a0f3e8894deaf789deb04b46135deeba20c4a34dfec08d595e2b71987