Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 08:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
Resource
win10v2004-20240802-en
General
-
Target
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
-
Size
5.8MB
-
MD5
75ebb3d39a33fea28af2bfb4bff2f804
-
SHA1
56a1af9ba3a88511b304c1324e4e098a3a5b3e97
-
SHA256
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b
-
SHA512
18f50e786ec0d68a7aebda4c6ee7fa1cde708705f56a1cd4e6f5c77d79ee5935e43d90f5cde02a691dbfdf7d491f7772a155452b43313476631cc0d6775a927f
-
SSDEEP
98304:xkufFm56yXIxb96jknaf6owI4xAXDnZxC/B4Awkw4PvaBuWd:xk56OIx5wknafwgLbWB1lvm
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76af62.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAF81.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB01E.tmp msiexec.exe File created C:\Windows\Installer\f76af62.msi msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 2456 MsiExec.exe 2456 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2076 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 2076 msiexec.exe Token: SeIncreaseQuotaPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeSecurityPrivilege 1620 msiexec.exe Token: SeCreateTokenPrivilege 2076 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2076 msiexec.exe Token: SeLockMemoryPrivilege 2076 msiexec.exe Token: SeIncreaseQuotaPrivilege 2076 msiexec.exe Token: SeMachineAccountPrivilege 2076 msiexec.exe Token: SeTcbPrivilege 2076 msiexec.exe Token: SeSecurityPrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeLoadDriverPrivilege 2076 msiexec.exe Token: SeSystemProfilePrivilege 2076 msiexec.exe Token: SeSystemtimePrivilege 2076 msiexec.exe Token: SeProfSingleProcessPrivilege 2076 msiexec.exe Token: SeIncBasePriorityPrivilege 2076 msiexec.exe Token: SeCreatePagefilePrivilege 2076 msiexec.exe Token: SeCreatePermanentPrivilege 2076 msiexec.exe Token: SeBackupPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeShutdownPrivilege 2076 msiexec.exe Token: SeDebugPrivilege 2076 msiexec.exe Token: SeAuditPrivilege 2076 msiexec.exe Token: SeSystemEnvironmentPrivilege 2076 msiexec.exe Token: SeChangeNotifyPrivilege 2076 msiexec.exe Token: SeRemoteShutdownPrivilege 2076 msiexec.exe Token: SeUndockPrivilege 2076 msiexec.exe Token: SeSyncAgentPrivilege 2076 msiexec.exe Token: SeEnableDelegationPrivilege 2076 msiexec.exe Token: SeManageVolumePrivilege 2076 msiexec.exe Token: SeImpersonatePrivilege 2076 msiexec.exe Token: SeCreateGlobalPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2076 msiexec.exe 2076 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2456 1620 msiexec.exe 31 PID 1620 wrote to memory of 2456 1620 msiexec.exe 31 PID 1620 wrote to memory of 2456 1620 msiexec.exe 31 PID 1620 wrote to memory of 2456 1620 msiexec.exe 31 PID 1620 wrote to memory of 2456 1620 msiexec.exe 31 PID 1620 wrote to memory of 2456 1620 msiexec.exe 31 PID 1620 wrote to memory of 2456 1620 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2076
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7C0994603054BB781275233AD2E42C12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519