Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
TeamPublisherAdminSetup.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
TeamPublisherAdminSetup.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
TeamPublisherUserSetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
TeamPublisherUserSetup.exe
Resource
win10v2004-20240709-en
General
-
Target
TeamPublisherUserSetup.exe
-
Size
7.3MB
-
MD5
98ba705a7068a25ad3e8f244d622e72a
-
SHA1
31b6c4cf406cd94f81c67d16d7d79b727978b1c4
-
SHA256
407eddf509e809d9536b4ce187bf9725c291ce15e969e9d7070dc8624d235f6d
-
SHA512
4f0443b4620ec4bb5afbb7c6655b47e254e24c2d2fd3765fbac06a99c65b295590f706d2595c205a7de5ae63dc313fada2dd018577947e0652f107c8c6053e1f
-
SSDEEP
196608:tdlGEazRT5voP2S/l/vXBzDBHEESaGtHe9uzIOBlQ2tBMJ0UhP:xcNoP2S/J/NBkESaGtHpXlQ2g6Ud
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 3200 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3200 MSIEXEC.EXE Token: SeSecurityPrivilege 960 msiexec.exe Token: SeCreateTokenPrivilege 3200 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3200 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3200 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3200 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3200 MSIEXEC.EXE Token: SeTcbPrivilege 3200 MSIEXEC.EXE Token: SeSecurityPrivilege 3200 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3200 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3200 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3200 MSIEXEC.EXE Token: SeSystemtimePrivilege 3200 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3200 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3200 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3200 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3200 MSIEXEC.EXE Token: SeBackupPrivilege 3200 MSIEXEC.EXE Token: SeRestorePrivilege 3200 MSIEXEC.EXE Token: SeShutdownPrivilege 3200 MSIEXEC.EXE Token: SeDebugPrivilege 3200 MSIEXEC.EXE Token: SeAuditPrivilege 3200 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3200 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3200 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3200 MSIEXEC.EXE Token: SeUndockPrivilege 3200 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3200 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3200 MSIEXEC.EXE Token: SeManageVolumePrivilege 3200 MSIEXEC.EXE Token: SeImpersonatePrivilege 3200 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3200 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3200 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2920 wrote to memory of 3200 2920 TeamPublisherUserSetup.exe 86 PID 2920 wrote to memory of 3200 2920 TeamPublisherUserSetup.exe 86 PID 2920 wrote to memory of 3200 2920 TeamPublisherUserSetup.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\TeamPublisherUserSetup.exe"C:\Users\Admin\AppData\Local\Temp\TeamPublisherUserSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{AB228304-86E2-4391-8F81-9D811246A28E}\Team Publisher User Tool.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="TeamPublisherUserSetup.exe"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3200
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{AB228304-86E2-4391-8F81-9D811246A28E}\Team Publisher User Tool.msi
Filesize7.3MB
MD5a0c2f531db57456b578c9bc81e9d6f0d
SHA1f936b9c2f4319d367c175482a9bd500b9b1a5372
SHA2562ed3a38aac262b20b83519e895864923978d83d6ef1e4597adc6c8135fa8ee9a
SHA512ede4a4bc795a97a23e054282710763ef5fc6147926c818aecc304f8b496bf2a5943260c9348394fc3eb9a028135653dd005823da3abbc529a825c0a5a0bfd53b
-
Filesize
1KB
MD54ed52c6735b424d7848d546f28a02aef
SHA1300403e9a14d718be38bb8dfc78ec1d3216260cf
SHA256c82e1e7b56135be74bb5a50f2528c4abc8c0a6b7906dc42803ef1f4e9e1c9222
SHA5121fcbf7ae8fd7d88ae856c7763343f2eb244c648ab106bc109c22f9e4aded34e10e31bc9e692d7dfada556b5eac2420ded267cc70073902adb1b55286984cc367
-
Filesize
13KB
MD5758747727e96a23c7c5a5bbb011656e4
SHA151cc637e7eb3451d6dfa9465d949d6dfb2cd65c9
SHA256bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825
SHA51221ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627
-
Filesize
2KB
MD569a5fd7cddcea178f4c17cfbc25d7645
SHA190a0447f33dd1b0c636cefb153eaf0639c0f465d
SHA256440aedae2e3cacbc9fce444dfbd6b267a855d469593427c90fd37d3dcb501bcc
SHA512f8bf3512f12bdc085cceaf0f4a4410c786cf304234483b57f8626fd4526e32c600aeed01681e7ceec3d0e290f15e30302bd1a3a765959a7c99e25e32a0ff74d1