Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Installer.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Installer.msi
Resource
win10v2004-20240802-en
General
-
Target
Installer.msi
-
Size
2.9MB
-
MD5
64cd91662e9ba4747a85c6e750964af9
-
SHA1
0121dffc5f7058e6e312228eb2fcb2295997dd23
-
SHA256
aaf3877ba2de9b121375a3a9def1d7177a02701457f185583fc78417b5e0b118
-
SHA512
c77a49dedae7c549227374cbd26de3c493ce42f3f2bf6043b6fa63f4b13f50d47e9d17b28b96f22abe68a0210c290e59a6635b07427bfb4fb6f467cf7455d36e
-
SSDEEP
49152:JHrZzerSX55baiU0o8P5Ferq7I5RJK5k1Q/Y02gCQsG592CB6b0Wk:LirS/dxFeb02b
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 1636 MsiExec.exe 1636 MsiExec.exe 1636 MsiExec.exe 1636 MsiExec.exe 1636 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2392 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2392 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2392 msiexec.exe Token: SeIncreaseQuotaPrivilege 2392 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeSecurityPrivilege 2532 msiexec.exe Token: SeCreateTokenPrivilege 2392 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2392 msiexec.exe Token: SeLockMemoryPrivilege 2392 msiexec.exe Token: SeIncreaseQuotaPrivilege 2392 msiexec.exe Token: SeMachineAccountPrivilege 2392 msiexec.exe Token: SeTcbPrivilege 2392 msiexec.exe Token: SeSecurityPrivilege 2392 msiexec.exe Token: SeTakeOwnershipPrivilege 2392 msiexec.exe Token: SeLoadDriverPrivilege 2392 msiexec.exe Token: SeSystemProfilePrivilege 2392 msiexec.exe Token: SeSystemtimePrivilege 2392 msiexec.exe Token: SeProfSingleProcessPrivilege 2392 msiexec.exe Token: SeIncBasePriorityPrivilege 2392 msiexec.exe Token: SeCreatePagefilePrivilege 2392 msiexec.exe Token: SeCreatePermanentPrivilege 2392 msiexec.exe Token: SeBackupPrivilege 2392 msiexec.exe Token: SeRestorePrivilege 2392 msiexec.exe Token: SeShutdownPrivilege 2392 msiexec.exe Token: SeDebugPrivilege 2392 msiexec.exe Token: SeAuditPrivilege 2392 msiexec.exe Token: SeSystemEnvironmentPrivilege 2392 msiexec.exe Token: SeChangeNotifyPrivilege 2392 msiexec.exe Token: SeRemoteShutdownPrivilege 2392 msiexec.exe Token: SeUndockPrivilege 2392 msiexec.exe Token: SeSyncAgentPrivilege 2392 msiexec.exe Token: SeEnableDelegationPrivilege 2392 msiexec.exe Token: SeManageVolumePrivilege 2392 msiexec.exe Token: SeImpersonatePrivilege 2392 msiexec.exe Token: SeCreateGlobalPrivilege 2392 msiexec.exe Token: SeCreateTokenPrivilege 2392 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2392 msiexec.exe Token: SeLockMemoryPrivilege 2392 msiexec.exe Token: SeIncreaseQuotaPrivilege 2392 msiexec.exe Token: SeMachineAccountPrivilege 2392 msiexec.exe Token: SeTcbPrivilege 2392 msiexec.exe Token: SeSecurityPrivilege 2392 msiexec.exe Token: SeTakeOwnershipPrivilege 2392 msiexec.exe Token: SeLoadDriverPrivilege 2392 msiexec.exe Token: SeSystemProfilePrivilege 2392 msiexec.exe Token: SeSystemtimePrivilege 2392 msiexec.exe Token: SeProfSingleProcessPrivilege 2392 msiexec.exe Token: SeIncBasePriorityPrivilege 2392 msiexec.exe Token: SeCreatePagefilePrivilege 2392 msiexec.exe Token: SeCreatePermanentPrivilege 2392 msiexec.exe Token: SeBackupPrivilege 2392 msiexec.exe Token: SeRestorePrivilege 2392 msiexec.exe Token: SeShutdownPrivilege 2392 msiexec.exe Token: SeDebugPrivilege 2392 msiexec.exe Token: SeAuditPrivilege 2392 msiexec.exe Token: SeSystemEnvironmentPrivilege 2392 msiexec.exe Token: SeChangeNotifyPrivilege 2392 msiexec.exe Token: SeRemoteShutdownPrivilege 2392 msiexec.exe Token: SeUndockPrivilege 2392 msiexec.exe Token: SeSyncAgentPrivilege 2392 msiexec.exe Token: SeEnableDelegationPrivilege 2392 msiexec.exe Token: SeManageVolumePrivilege 2392 msiexec.exe Token: SeImpersonatePrivilege 2392 msiexec.exe Token: SeCreateGlobalPrivilege 2392 msiexec.exe Token: SeCreateTokenPrivilege 2392 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2392 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2532 wrote to memory of 1636 2532 msiexec.exe 31 PID 2532 wrote to memory of 1636 2532 msiexec.exe 31 PID 2532 wrote to memory of 1636 2532 msiexec.exe 31 PID 2532 wrote to memory of 1636 2532 msiexec.exe 31 PID 2532 wrote to memory of 1636 2532 msiexec.exe 31 PID 2532 wrote to memory of 1636 2532 msiexec.exe 31 PID 2532 wrote to memory of 1636 2532 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installer.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2392
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C1297B63B2DC7D2746B6D4B2500E29DE C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD5421643ee7bb89e6df092bc4b18a40ff8
SHA1e801582a6dd358060a699c9c5cde31cd07ee49ab
SHA256d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da
SHA512d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023