Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe
Resource
win10v2004-20240508-en
General
-
Target
59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe
-
Size
9.8MB
-
MD5
31c3278d6e3de01677e9a75c6719b7c8
-
SHA1
a92d6737e3d6b5a69e49e1d64086c1dc822c6875
-
SHA256
59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1
-
SHA512
7a32d0a0b399fd09743b6a05e6b326e194a385b0efdf23d10088d7328f9efbac8a4449fda30d4636df0240dd8229cebb921e3c5737c1a35feb619db2bace9b2a
-
SSDEEP
196608:ynwReZJal3OuIMEgF3EeS+tpxH7qGaRQV/BTGDa+q4fD6Bnl/MGxPB5gmtj:yQez4+uIMrF3EeltpJu5QV/g3qBnl/Fn
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3044 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeSecurityPrivilege 3316 msiexec.exe Token: SeCreateTokenPrivilege 1508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1508 msiexec.exe Token: SeLockMemoryPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeMachineAccountPrivilege 1508 msiexec.exe Token: SeTcbPrivilege 1508 msiexec.exe Token: SeSecurityPrivilege 1508 msiexec.exe Token: SeTakeOwnershipPrivilege 1508 msiexec.exe Token: SeLoadDriverPrivilege 1508 msiexec.exe Token: SeSystemProfilePrivilege 1508 msiexec.exe Token: SeSystemtimePrivilege 1508 msiexec.exe Token: SeProfSingleProcessPrivilege 1508 msiexec.exe Token: SeIncBasePriorityPrivilege 1508 msiexec.exe Token: SeCreatePagefilePrivilege 1508 msiexec.exe Token: SeCreatePermanentPrivilege 1508 msiexec.exe Token: SeBackupPrivilege 1508 msiexec.exe Token: SeRestorePrivilege 1508 msiexec.exe Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeDebugPrivilege 1508 msiexec.exe Token: SeAuditPrivilege 1508 msiexec.exe Token: SeSystemEnvironmentPrivilege 1508 msiexec.exe Token: SeChangeNotifyPrivilege 1508 msiexec.exe Token: SeRemoteShutdownPrivilege 1508 msiexec.exe Token: SeUndockPrivilege 1508 msiexec.exe Token: SeSyncAgentPrivilege 1508 msiexec.exe Token: SeEnableDelegationPrivilege 1508 msiexec.exe Token: SeManageVolumePrivilege 1508 msiexec.exe Token: SeImpersonatePrivilege 1508 msiexec.exe Token: SeCreateGlobalPrivilege 1508 msiexec.exe Token: SeCreateTokenPrivilege 1508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1508 msiexec.exe Token: SeLockMemoryPrivilege 1508 msiexec.exe Token: SeIncreaseQuotaPrivilege 1508 msiexec.exe Token: SeMachineAccountPrivilege 1508 msiexec.exe Token: SeTcbPrivilege 1508 msiexec.exe Token: SeSecurityPrivilege 1508 msiexec.exe Token: SeTakeOwnershipPrivilege 1508 msiexec.exe Token: SeLoadDriverPrivilege 1508 msiexec.exe Token: SeSystemProfilePrivilege 1508 msiexec.exe Token: SeSystemtimePrivilege 1508 msiexec.exe Token: SeProfSingleProcessPrivilege 1508 msiexec.exe Token: SeIncBasePriorityPrivilege 1508 msiexec.exe Token: SeCreatePagefilePrivilege 1508 msiexec.exe Token: SeCreatePermanentPrivilege 1508 msiexec.exe Token: SeBackupPrivilege 1508 msiexec.exe Token: SeRestorePrivilege 1508 msiexec.exe Token: SeShutdownPrivilege 1508 msiexec.exe Token: SeDebugPrivilege 1508 msiexec.exe Token: SeAuditPrivilege 1508 msiexec.exe Token: SeSystemEnvironmentPrivilege 1508 msiexec.exe Token: SeChangeNotifyPrivilege 1508 msiexec.exe Token: SeRemoteShutdownPrivilege 1508 msiexec.exe Token: SeUndockPrivilege 1508 msiexec.exe Token: SeSyncAgentPrivilege 1508 msiexec.exe Token: SeEnableDelegationPrivilege 1508 msiexec.exe Token: SeManageVolumePrivilege 1508 msiexec.exe Token: SeImpersonatePrivilege 1508 msiexec.exe Token: SeCreateGlobalPrivilege 1508 msiexec.exe Token: SeCreateTokenPrivilege 1508 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1508 msiexec.exe Token: SeLockMemoryPrivilege 1508 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1508 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1508 1060 59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe 80 PID 1060 wrote to memory of 1508 1060 59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe 80 PID 3316 wrote to memory of 3044 3316 msiexec.exe 83 PID 3316 wrote to memory of 3044 3316 msiexec.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe"C:\Users\Admin\AppData\Local\Temp\59c60faf837ec8ee08487f0b767a0a1122395f9d1013e032d7de624c1dddffe1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\sma517B.tmp"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1508
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 72FC74D6BFB420C9DCB9CD4B3202F463 C2⤵
- Loads dropped DLL
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD515a73a2c34331b120d9ec535d73cc261
SHA17af161c7ad25157375c8e8d76444abc45158b8b4
SHA256996ac3d64a57262fe384f92903da0955d82004d60d45b03a9d0cf4085b3d1165
SHA512fc779d61300abf21fdd78a60c055266dcc4898f7b4d653e1b2fef715cc95f26e46e68e2b61abb4bb9195a10ea4732d3f6ce2f9679bc85307ee1b774ede3846c4
-
Filesize
9.7MB
MD5925019c3940a9643e308e789aef471aa
SHA1782d9a48343aeb2d2efcfcbbd2d61e63a34e171b
SHA256cf41affdbb63c78b8200fffab42a8e1d9d729b8615d61f694030e27a1f3a8ace
SHA51298dd6a528d87408f24e8f9a2a267bc6cd6c3b8f732c58e3bf4b7349f285d01426943be5d28f794cc811d1a79804d6fdd5648cf4daa4984c6526d460952f464a6