Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1754s -
max time network
1383s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
Order.msi
Resource
win7-20240704-en
windows7-x64
8 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Order.msi
Resource
win10v2004-20240709-en
windows10-2004-x64
12 signatures
1800 seconds
General
-
Target
Order.msi
-
Size
2.7MB
-
MD5
f7fd676f0813c386785974d541ab2c62
-
SHA1
9b8cad4d93b685fa17428f19bf4a48ed5d065a37
-
SHA256
1289a868933822979797a526e6fab52460940f1c9dd9231879ecf7da920b9b41
-
SHA512
4cacdf7494afc7ad99d224c2b57ed5d6f5ccb31237eabf1291b43aa8955c082662ef973e8d8477c5c4cea08a2eeab9ac2ad2ceb9a9b7b646b9bbf73c8a42ee27
-
SSDEEP
49152:rRC8uwRZFqnrf2F6bdjiC2Q5cQcXX5DEbWvB2I15oh268YXZ8+ROWv:rTS91iC2zZtvB715oUr63
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e57bfa6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC014.tmp msiexec.exe File created C:\Windows\Installer\e57bfa6.msi msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 4544 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 5112 msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 464 4544 WerFault.exe 86 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4672 msiexec.exe 4672 msiexec.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 792 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeShutdownPrivilege 5112 msiexec.exe Token: SeIncreaseQuotaPrivilege 5112 msiexec.exe Token: SeSecurityPrivilege 4672 msiexec.exe Token: SeCreateTokenPrivilege 5112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5112 msiexec.exe Token: SeLockMemoryPrivilege 5112 msiexec.exe Token: SeIncreaseQuotaPrivilege 5112 msiexec.exe Token: SeMachineAccountPrivilege 5112 msiexec.exe Token: SeTcbPrivilege 5112 msiexec.exe Token: SeSecurityPrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeLoadDriverPrivilege 5112 msiexec.exe Token: SeSystemProfilePrivilege 5112 msiexec.exe Token: SeSystemtimePrivilege 5112 msiexec.exe Token: SeProfSingleProcessPrivilege 5112 msiexec.exe Token: SeIncBasePriorityPrivilege 5112 msiexec.exe Token: SeCreatePagefilePrivilege 5112 msiexec.exe Token: SeCreatePermanentPrivilege 5112 msiexec.exe Token: SeBackupPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeShutdownPrivilege 5112 msiexec.exe Token: SeDebugPrivilege 5112 msiexec.exe Token: SeAuditPrivilege 5112 msiexec.exe Token: SeSystemEnvironmentPrivilege 5112 msiexec.exe Token: SeChangeNotifyPrivilege 5112 msiexec.exe Token: SeRemoteShutdownPrivilege 5112 msiexec.exe Token: SeUndockPrivilege 5112 msiexec.exe Token: SeSyncAgentPrivilege 5112 msiexec.exe Token: SeEnableDelegationPrivilege 5112 msiexec.exe Token: SeManageVolumePrivilege 5112 msiexec.exe Token: SeImpersonatePrivilege 5112 msiexec.exe Token: SeCreateGlobalPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 4672 msiexec.exe Token: SeTakeOwnershipPrivilege 4672 msiexec.exe Token: SeRestorePrivilege 4672 msiexec.exe Token: SeTakeOwnershipPrivilege 4672 msiexec.exe Token: SeDebugPrivilege 792 taskmgr.exe Token: SeSystemProfilePrivilege 792 taskmgr.exe Token: SeCreateGlobalPrivilege 792 taskmgr.exe Token: 33 792 taskmgr.exe Token: SeIncBasePriorityPrivilege 792 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5112 msiexec.exe 5112 msiexec.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4544 4672 msiexec.exe 86 PID 4672 wrote to memory of 4544 4672 msiexec.exe 86 PID 4672 wrote to memory of 4544 4672 msiexec.exe 86
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Order.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5112
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5D00BD30898402277741BE8FFB917ED12⤵
- Loads dropped DLL
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 8123⤵
- Program crash
PID:464
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 45441⤵PID:3956
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD539c4da67f37b474fc44dc8f7a833a235
SHA1611dc8f73eb6e770488a3ab88ddac86b6074899a
SHA2567cbfef08f4be732b65aaa4c181257935fa3518537750b1bfe2b0aa811271ffc7
SHA5127d696189b3769f2ec18a5a4600ec349077d62b95f252c87e49ca9dc299196068162b5c29e0afadead31041ad3eb8e5e08f8303e3db374b968c9fd6f6ae3167ab