Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3299add446a...18.exe
windows7-x64
7299add446a...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/Weat...up.msi
windows7-x64
6$TEMP/Weat...up.msi
windows10-2004-x64
6uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$TEMP/WeatherBugSetup.msi
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
$TEMP/WeatherBugSetup.msi
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
uninst.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
uninst.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
General
-
Target
$TEMP/WeatherBugSetup.msi
-
Size
3.1MB
-
MD5
8c23be9e13b10ce4e5969abd7d838576
-
SHA1
adda1875ca69a6b9e21e4257833c508a46fa85c1
-
SHA256
8d62da599bb3c0262a3b90ad2ea04da1834f7e4eee95e088951a2dabeae75589
-
SHA512
74430f4495c11e0f1e2d747c72b7a984f531c2f1dbd18e3e772256b687c9a1a86c65dc54bfc5b03359eddd55812ce49239ab46f9aaccfa2b177c36d2ff93d02e
-
SSDEEP
49152:dc4h6/9tTXuawqIXFI1L5ZVBlYkw2hWvnyQZboyCb/zaeyb7EaGVaGV:Thgaawqca1NPWPyQxrb7BGUG
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1620 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Loads dropped DLL 3 IoCs
pid Process 1652 MsiExec.exe 1652 MsiExec.exe 1652 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 1620 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1620 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1620 msiexec.exe Token: SeIncreaseQuotaPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeSecurityPrivilege 2536 msiexec.exe Token: SeCreateTokenPrivilege 1620 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1620 msiexec.exe Token: SeLockMemoryPrivilege 1620 msiexec.exe Token: SeIncreaseQuotaPrivilege 1620 msiexec.exe Token: SeMachineAccountPrivilege 1620 msiexec.exe Token: SeTcbPrivilege 1620 msiexec.exe Token: SeSecurityPrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeLoadDriverPrivilege 1620 msiexec.exe Token: SeSystemProfilePrivilege 1620 msiexec.exe Token: SeSystemtimePrivilege 1620 msiexec.exe Token: SeProfSingleProcessPrivilege 1620 msiexec.exe Token: SeIncBasePriorityPrivilege 1620 msiexec.exe Token: SeCreatePagefilePrivilege 1620 msiexec.exe Token: SeCreatePermanentPrivilege 1620 msiexec.exe Token: SeBackupPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeShutdownPrivilege 1620 msiexec.exe Token: SeDebugPrivilege 1620 msiexec.exe Token: SeAuditPrivilege 1620 msiexec.exe Token: SeSystemEnvironmentPrivilege 1620 msiexec.exe Token: SeChangeNotifyPrivilege 1620 msiexec.exe Token: SeRemoteShutdownPrivilege 1620 msiexec.exe Token: SeUndockPrivilege 1620 msiexec.exe Token: SeSyncAgentPrivilege 1620 msiexec.exe Token: SeEnableDelegationPrivilege 1620 msiexec.exe Token: SeManageVolumePrivilege 1620 msiexec.exe Token: SeImpersonatePrivilege 1620 msiexec.exe Token: SeCreateGlobalPrivilege 1620 msiexec.exe Token: SeCreateTokenPrivilege 1620 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1620 msiexec.exe Token: SeLockMemoryPrivilege 1620 msiexec.exe Token: SeIncreaseQuotaPrivilege 1620 msiexec.exe Token: SeMachineAccountPrivilege 1620 msiexec.exe Token: SeTcbPrivilege 1620 msiexec.exe Token: SeSecurityPrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeLoadDriverPrivilege 1620 msiexec.exe Token: SeSystemProfilePrivilege 1620 msiexec.exe Token: SeSystemtimePrivilege 1620 msiexec.exe Token: SeProfSingleProcessPrivilege 1620 msiexec.exe Token: SeIncBasePriorityPrivilege 1620 msiexec.exe Token: SeCreatePagefilePrivilege 1620 msiexec.exe Token: SeCreatePermanentPrivilege 1620 msiexec.exe Token: SeBackupPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeShutdownPrivilege 1620 msiexec.exe Token: SeDebugPrivilege 1620 msiexec.exe Token: SeAuditPrivilege 1620 msiexec.exe Token: SeSystemEnvironmentPrivilege 1620 msiexec.exe Token: SeChangeNotifyPrivilege 1620 msiexec.exe Token: SeRemoteShutdownPrivilege 1620 msiexec.exe Token: SeUndockPrivilege 1620 msiexec.exe Token: SeSyncAgentPrivilege 1620 msiexec.exe Token: SeEnableDelegationPrivilege 1620 msiexec.exe Token: SeManageVolumePrivilege 1620 msiexec.exe Token: SeImpersonatePrivilege 1620 msiexec.exe Token: SeCreateGlobalPrivilege 1620 msiexec.exe Token: SeCreateTokenPrivilege 1620 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1620 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1652 2536 msiexec.exe 29 PID 2536 wrote to memory of 1652 2536 msiexec.exe 29 PID 2536 wrote to memory of 1652 2536 msiexec.exe 29 PID 2536 wrote to memory of 1652 2536 msiexec.exe 29 PID 2536 wrote to memory of 1652 2536 msiexec.exe 29 PID 2536 wrote to memory of 1652 2536 msiexec.exe 29 PID 2536 wrote to memory of 1652 2536 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$TEMP\WeatherBugSetup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1620
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E99FA1382091D027DBC4295733712499 C2⤵
- Loads dropped DLL
PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD548a8123016d261e45ee807c0e238a971
SHA1d7c8bc1e4d6437697f137cff3eca0e31e49a55cf
SHA256871f195e12ebb609e6179756092a5821e78cbf920c5c3c7da9ceb01aca991a78
SHA512a03ed081d740160f92f0f46315e3eff6aa7ac1b6ca65c28be595a802b4d32614cc778d57792b0fbc68ec2ce7382bfcee6c4009226cb2b5428c5819d3b6d5828f
-
Filesize
125KB
MD517e171f53f5378f637942286c4dc05fc
SHA156e54c86e9445ae7b33230501f17e710c5f47596
SHA25690d450c12864c8b76e07bd87c6ead25636fef032ffaa056722d2f53f58d64037
SHA512d67b8ebd2e6091cf17a01ec73fc136eb9119e2fb3682b12dfb57d96f633d94be4805df5e10a5736197d64e04a6327d97bac943227155e9f9daa40e6944404fcd