Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01/08/2024, 21:33

General

  • Target

    Ability.msi

  • Size

    1.1MB

  • MD5

    e58820ed8d5250b99608423ab08d92aa

  • SHA1

    f4fe5454e61f3477d87c9b7c3bcc5d311c1a4a41

  • SHA256

    4d355fbb17711132a4c8cfa28c52e5defa8b5b98b1f654e9ff1e429c05a4dc6b

  • SHA512

    fb40a210561c60b07ffeb96eeac4f429253488b11776dda611bacad0432948f77d0082a06c20c2cf5822e4ab811f8b134ffa0b9699d42d660d3c0f114353a776

  • SSDEEP

    12288:NEEXd2VZ1WcpyO5GvElQ07nJUQKiJKEEH5WqU4JjVcI:5IPHpyO5GvElzLM53zVcI

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Ability.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:976
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 31A72E24DCAD682429F3A854F1DF53D4 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabFA1A.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\MSIFD58.tmp

    Filesize

    120KB

    MD5

    b51e6d6cfecc093a35f73c52af38f239

    SHA1

    bff035c83ff3043c7d451067bb488df2bda0de7a

    SHA256

    30784ad0a1277620b741b2d234bec44fde766eef2e13f05b2bd9aae177547b4e

    SHA512

    0b9a7e5088ac4fc13774955af93dcd86caa517e416b166fa63566d4cb48996f8630f3e088e4ea1357a78f4072c36eaba7a7eaa057b60018273283c3ecfd05430

  • C:\Users\Admin\AppData\Local\Temp\TarFC7D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b