Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Ability.msi
windows7-x64
6Ability.msi
windows10-2004-x64
6ABMCmn.dll
windows7-x64
3ABMCmn.dll
windows10-2004-x64
3ABViewForms.dll
windows7-x64
3ABViewForms.dll
windows10-2004-x64
3FormCtls.dll
windows7-x64
3FormCtls.dll
windows10-2004-x64
3FormEdit.exe
windows7-x64
1FormEdit.exe
windows10-2004-x64
3Install.exe
windows7-x64
7Install.exe
windows10-2004-x64
7a4w195.dll
windows7-x64
3a4w195.dll
windows10-2004-x64
3acfpdf.dll
windows7-x64
3acfpdf.dll
windows10-2004-x64
3acfpdfu.dll
windows7-x64
3acfpdfu.dll
windows10-2004-x64
3acfpdfui.dll
windows7-x64
3acfpdfui.dll
windows10-2004-x64
3acpdfcrdb.dll
windows7-x64
3acpdfcrdb.dll
windows10-2004-x64
3acpdfcrext.dll
windows7-x64
3acpdfcrext.dll
windows10-2004-x64
3cdintf.dll
windows7-x64
3cdintf.dll
windows10-2004-x64
3ABAnimFX.dll
windows7-x64
3ABAnimFX.dll
windows10-2004-x64
3ABHook.dll
windows7-x64
3ABHook.dll
windows10-2004-x64
3ABImageX.dll
windows7-x64
3ABImageX.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
01/08/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
Ability.msi
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Ability.msi
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
ABMCmn.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
ABMCmn.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
ABViewForms.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
ABViewForms.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
FormCtls.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
FormCtls.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
FormEdit.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
FormEdit.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
Install.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Install.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
a4w195.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
a4w195.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
acfpdf.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
acfpdf.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
acfpdfu.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
acfpdfu.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
acfpdfui.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
acfpdfui.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
acpdfcrdb.dll
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
acpdfcrdb.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral23
Sample
acpdfcrext.dll
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
acpdfcrext.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral25
Sample
cdintf.dll
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
cdintf.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral27
Sample
ABAnimFX.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
ABAnimFX.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral29
Sample
ABHook.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
ABHook.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral31
Sample
ABImageX.dll
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
ABImageX.dll
Resource
win10v2004-20240730-en
General
-
Target
Ability.msi
-
Size
1.1MB
-
MD5
e58820ed8d5250b99608423ab08d92aa
-
SHA1
f4fe5454e61f3477d87c9b7c3bcc5d311c1a4a41
-
SHA256
4d355fbb17711132a4c8cfa28c52e5defa8b5b98b1f654e9ff1e429c05a4dc6b
-
SHA512
fb40a210561c60b07ffeb96eeac4f429253488b11776dda611bacad0432948f77d0082a06c20c2cf5822e4ab811f8b134ffa0b9699d42d660d3c0f114353a776
-
SSDEEP
12288:NEEXd2VZ1WcpyO5GvElQ07nJUQKiJKEEH5WqU4JjVcI:5IPHpyO5GvElzLM53zVcI
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 976 msiexec.exe 5 976 msiexec.exe 7 976 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2444 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 976 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 976 msiexec.exe Token: SeIncreaseQuotaPrivilege 976 msiexec.exe Token: SeRestorePrivilege 2552 msiexec.exe Token: SeTakeOwnershipPrivilege 2552 msiexec.exe Token: SeSecurityPrivilege 2552 msiexec.exe Token: SeCreateTokenPrivilege 976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 976 msiexec.exe Token: SeLockMemoryPrivilege 976 msiexec.exe Token: SeIncreaseQuotaPrivilege 976 msiexec.exe Token: SeMachineAccountPrivilege 976 msiexec.exe Token: SeTcbPrivilege 976 msiexec.exe Token: SeSecurityPrivilege 976 msiexec.exe Token: SeTakeOwnershipPrivilege 976 msiexec.exe Token: SeLoadDriverPrivilege 976 msiexec.exe Token: SeSystemProfilePrivilege 976 msiexec.exe Token: SeSystemtimePrivilege 976 msiexec.exe Token: SeProfSingleProcessPrivilege 976 msiexec.exe Token: SeIncBasePriorityPrivilege 976 msiexec.exe Token: SeCreatePagefilePrivilege 976 msiexec.exe Token: SeCreatePermanentPrivilege 976 msiexec.exe Token: SeBackupPrivilege 976 msiexec.exe Token: SeRestorePrivilege 976 msiexec.exe Token: SeShutdownPrivilege 976 msiexec.exe Token: SeDebugPrivilege 976 msiexec.exe Token: SeAuditPrivilege 976 msiexec.exe Token: SeSystemEnvironmentPrivilege 976 msiexec.exe Token: SeChangeNotifyPrivilege 976 msiexec.exe Token: SeRemoteShutdownPrivilege 976 msiexec.exe Token: SeUndockPrivilege 976 msiexec.exe Token: SeSyncAgentPrivilege 976 msiexec.exe Token: SeEnableDelegationPrivilege 976 msiexec.exe Token: SeManageVolumePrivilege 976 msiexec.exe Token: SeImpersonatePrivilege 976 msiexec.exe Token: SeCreateGlobalPrivilege 976 msiexec.exe Token: SeCreateTokenPrivilege 976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 976 msiexec.exe Token: SeLockMemoryPrivilege 976 msiexec.exe Token: SeIncreaseQuotaPrivilege 976 msiexec.exe Token: SeMachineAccountPrivilege 976 msiexec.exe Token: SeTcbPrivilege 976 msiexec.exe Token: SeSecurityPrivilege 976 msiexec.exe Token: SeTakeOwnershipPrivilege 976 msiexec.exe Token: SeLoadDriverPrivilege 976 msiexec.exe Token: SeSystemProfilePrivilege 976 msiexec.exe Token: SeSystemtimePrivilege 976 msiexec.exe Token: SeProfSingleProcessPrivilege 976 msiexec.exe Token: SeIncBasePriorityPrivilege 976 msiexec.exe Token: SeCreatePagefilePrivilege 976 msiexec.exe Token: SeCreatePermanentPrivilege 976 msiexec.exe Token: SeBackupPrivilege 976 msiexec.exe Token: SeRestorePrivilege 976 msiexec.exe Token: SeShutdownPrivilege 976 msiexec.exe Token: SeDebugPrivilege 976 msiexec.exe Token: SeAuditPrivilege 976 msiexec.exe Token: SeSystemEnvironmentPrivilege 976 msiexec.exe Token: SeChangeNotifyPrivilege 976 msiexec.exe Token: SeRemoteShutdownPrivilege 976 msiexec.exe Token: SeUndockPrivilege 976 msiexec.exe Token: SeSyncAgentPrivilege 976 msiexec.exe Token: SeEnableDelegationPrivilege 976 msiexec.exe Token: SeManageVolumePrivilege 976 msiexec.exe Token: SeImpersonatePrivilege 976 msiexec.exe Token: SeCreateGlobalPrivilege 976 msiexec.exe Token: SeCreateTokenPrivilege 976 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 976 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2444 2552 msiexec.exe 30 PID 2552 wrote to memory of 2444 2552 msiexec.exe 30 PID 2552 wrote to memory of 2444 2552 msiexec.exe 30 PID 2552 wrote to memory of 2444 2552 msiexec.exe 30 PID 2552 wrote to memory of 2444 2552 msiexec.exe 30 PID 2552 wrote to memory of 2444 2552 msiexec.exe 30 PID 2552 wrote to memory of 2444 2552 msiexec.exe 30
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Ability.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:976
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 31A72E24DCAD682429F3A854F1DF53D4 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
120KB
MD5b51e6d6cfecc093a35f73c52af38f239
SHA1bff035c83ff3043c7d451067bb488df2bda0de7a
SHA25630784ad0a1277620b741b2d234bec44fde766eef2e13f05b2bd9aae177547b4e
SHA5120b9a7e5088ac4fc13774955af93dcd86caa517e416b166fa63566d4cb48996f8630f3e088e4ea1357a78f4072c36eaba7a7eaa057b60018273283c3ecfd05430
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b