Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 08:34 UTC

General

  • Target

    0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi

  • Size

    5.8MB

  • MD5

    75ebb3d39a33fea28af2bfb4bff2f804

  • SHA1

    56a1af9ba3a88511b304c1324e4e098a3a5b3e97

  • SHA256

    0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b

  • SHA512

    18f50e786ec0d68a7aebda4c6ee7fa1cde708705f56a1cd4e6f5c77d79ee5935e43d90f5cde02a691dbfdf7d491f7772a155452b43313476631cc0d6775a927f

  • SSDEEP

    98304:xkufFm56yXIxb96jknaf6owI4xAXDnZxC/B4Awkw4PvaBuWd:xk56OIx5wknafwgLbWB1lvm

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2076
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C7C0994603054BB781275233AD2E42C1
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSIAF81.tmp

    Filesize

    816KB

    MD5

    aa88d8f40a286b6d40de0f3abc836cfa

    SHA1

    c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

    SHA256

    8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

    SHA512

    6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.