Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3~x64__x32_...__.zip
windows7-x64
1~x64__x32_...__.zip
windows10-2004-x64
1fh/HalExtI...MA.dll
windows10-2004-x64
1fh/fh.dll
windows10-2004-x64
1fh/gpsvc.dll
windows10-2004-x64
1fh/msftedit.dll
windows10-2004-x64
1rmclient/SEMgrSvc.dll
windows10-2004-x64
1rmclient/SRH.dll
windows10-2004-x64
1rmclient/rilproxy.dll
windows10-2004-x64
1rmclient/rmclient.dll
windows10-2004-x64
1vdsbas/Tok...er.dll
windows10-2004-x64
1vdsbas/Vault.dll
windows10-2004-x64
1vdsbas/tquery.dll
windows10-2004-x64
1vdsbas/vdsbas.dll
windows10-2004-x64
1winspool/wdmaud.dll
windows10-2004-x64
1winspool/winspool.dll
windows10-2004-x64
1winspool/wvc.dll
windows10-2004-x64
7x64__insta....5.msi
windows7-x64
6x64__insta....5.msi
windows10-2004-x64
6Analysis
-
max time kernel
91s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
~x64__x32__installer__.zip
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
~x64__x32__installer__.zip
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
fh/HalExtIntcLpioDMA.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
fh/fh.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
fh/gpsvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
fh/msftedit.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
rmclient/SEMgrSvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
rmclient/SRH.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
rmclient/rilproxy.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
rmclient/rmclient.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
vdsbas/TokenBroker.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
vdsbas/Vault.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
vdsbas/tquery.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
vdsbas/vdsbas.dll
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
winspool/wdmaud.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
winspool/winspool.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
winspool/wvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
x64__installer__v2.0.5.msi
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral19
Sample
x64__installer__v2.0.5.msi
Resource
win10v2004-20240730-en
windows10-2004-x64
General
-
Target
x64__installer__v2.0.5.msi
-
Size
32.5MB
-
MD5
acf3049f9a32d9c2d30d0546e7a4249a
-
SHA1
491fbaf36bbb029601daf0e73ff17179f6f8ebd9
-
SHA256
4e5def247c481ea835d423ca3134dc1192dc688693676ac6730c5e60ab269f61
-
SHA512
02a40cd23470dff49afb6dcb80e7313b78aeb5bcd50ff564a7756aa01589379cae04953d6f50d0f22d6a251696a52702cdfde4f8daa7829b1e74d019fa66b900
-
SSDEEP
786432:VRQLUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y:VRQ77xVLYjsp+ikJ
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 14 3360 MsiExec.exe 16 3360 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSICE9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICFF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE787.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{EE732749-08BE-4A8A-B918-99E4E0373581} msiexec.exe File created C:\Windows\Installer\e57ccc6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICD52.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF11E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICF0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICF2A.tmp msiexec.exe File created C:\Windows\Installer\e57ccca.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ccc6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE748.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Loads dropped DLL 7 IoCs
pid Process 3360 MsiExec.exe 3360 MsiExec.exe 3360 MsiExec.exe 3360 MsiExec.exe 3360 MsiExec.exe 3360 MsiExec.exe 3360 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1532 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3632 msiexec.exe 3632 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1532 msiexec.exe Token: SeIncreaseQuotaPrivilege 1532 msiexec.exe Token: SeSecurityPrivilege 3632 msiexec.exe Token: SeCreateTokenPrivilege 1532 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1532 msiexec.exe Token: SeLockMemoryPrivilege 1532 msiexec.exe Token: SeIncreaseQuotaPrivilege 1532 msiexec.exe Token: SeMachineAccountPrivilege 1532 msiexec.exe Token: SeTcbPrivilege 1532 msiexec.exe Token: SeSecurityPrivilege 1532 msiexec.exe Token: SeTakeOwnershipPrivilege 1532 msiexec.exe Token: SeLoadDriverPrivilege 1532 msiexec.exe Token: SeSystemProfilePrivilege 1532 msiexec.exe Token: SeSystemtimePrivilege 1532 msiexec.exe Token: SeProfSingleProcessPrivilege 1532 msiexec.exe Token: SeIncBasePriorityPrivilege 1532 msiexec.exe Token: SeCreatePagefilePrivilege 1532 msiexec.exe Token: SeCreatePermanentPrivilege 1532 msiexec.exe Token: SeBackupPrivilege 1532 msiexec.exe Token: SeRestorePrivilege 1532 msiexec.exe Token: SeShutdownPrivilege 1532 msiexec.exe Token: SeDebugPrivilege 1532 msiexec.exe Token: SeAuditPrivilege 1532 msiexec.exe Token: SeSystemEnvironmentPrivilege 1532 msiexec.exe Token: SeChangeNotifyPrivilege 1532 msiexec.exe Token: SeRemoteShutdownPrivilege 1532 msiexec.exe Token: SeUndockPrivilege 1532 msiexec.exe Token: SeSyncAgentPrivilege 1532 msiexec.exe Token: SeEnableDelegationPrivilege 1532 msiexec.exe Token: SeManageVolumePrivilege 1532 msiexec.exe Token: SeImpersonatePrivilege 1532 msiexec.exe Token: SeCreateGlobalPrivilege 1532 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe Token: SeRestorePrivilege 3632 msiexec.exe Token: SeTakeOwnershipPrivilege 3632 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1532 msiexec.exe 1532 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3632 wrote to memory of 3360 3632 msiexec.exe 86 PID 3632 wrote to memory of 3360 3632 msiexec.exe 86 PID 3632 wrote to memory of 3360 3632 msiexec.exe 86
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64__installer__v2.0.5.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1532
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 298A2AE358434456D17807F803C217692⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5b76ce04c8fe80a51a7d1f080f703f6c5
SHA12f122a0224b898a5ee9e296240eda07c8c6433d7
SHA25658e36ea02f749287149487420aebf16dfaefaed0d31c006e25bbabebc9a73156
SHA51289a900afa93cb6289743e2725fdd8feffebcb1cf24c441ccbce8fd845761b3140abed2052317a3c70aea4e61906773076819e5bba88837a8e32fde8582800835
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
Filesize
32.5MB
MD5acf3049f9a32d9c2d30d0546e7a4249a
SHA1491fbaf36bbb029601daf0e73ff17179f6f8ebd9
SHA2564e5def247c481ea835d423ca3134dc1192dc688693676ac6730c5e60ab269f61
SHA51202a40cd23470dff49afb6dcb80e7313b78aeb5bcd50ff564a7756aa01589379cae04953d6f50d0f22d6a251696a52702cdfde4f8daa7829b1e74d019fa66b900