Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
Resource
win10v2004-20240802-en
General
-
Target
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi
-
Size
5.8MB
-
MD5
75ebb3d39a33fea28af2bfb4bff2f804
-
SHA1
56a1af9ba3a88511b304c1324e4e098a3a5b3e97
-
SHA256
0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b
-
SHA512
18f50e786ec0d68a7aebda4c6ee7fa1cde708705f56a1cd4e6f5c77d79ee5935e43d90f5cde02a691dbfdf7d491f7772a155452b43313476631cc0d6775a927f
-
SSDEEP
98304:xkufFm56yXIxb96jknaf6owI4xAXDnZxC/B4Awkw4PvaBuWd:xk56OIx5wknafwgLbWB1lvm
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1448 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI832A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI84C3.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{72990FF3-4F7D-4947-AC38-6DDAF95890F6} msiexec.exe File opened for modification C:\Windows\Installer\MSI8463.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI84B3.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8590.tmp msiexec.exe File created C:\Windows\Installer\e5782e0.msi msiexec.exe File opened for modification C:\Windows\Installer\e5782dc.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5782dc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8522.tmp msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 1448 MsiExec.exe 1448 MsiExec.exe 1448 MsiExec.exe 1448 MsiExec.exe 1448 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2072 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3992 msiexec.exe 3992 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 3992 msiexec.exe Token: SeCreateTokenPrivilege 2072 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2072 msiexec.exe Token: SeLockMemoryPrivilege 2072 msiexec.exe Token: SeIncreaseQuotaPrivilege 2072 msiexec.exe Token: SeMachineAccountPrivilege 2072 msiexec.exe Token: SeTcbPrivilege 2072 msiexec.exe Token: SeSecurityPrivilege 2072 msiexec.exe Token: SeTakeOwnershipPrivilege 2072 msiexec.exe Token: SeLoadDriverPrivilege 2072 msiexec.exe Token: SeSystemProfilePrivilege 2072 msiexec.exe Token: SeSystemtimePrivilege 2072 msiexec.exe Token: SeProfSingleProcessPrivilege 2072 msiexec.exe Token: SeIncBasePriorityPrivilege 2072 msiexec.exe Token: SeCreatePagefilePrivilege 2072 msiexec.exe Token: SeCreatePermanentPrivilege 2072 msiexec.exe Token: SeBackupPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 2072 msiexec.exe Token: SeShutdownPrivilege 2072 msiexec.exe Token: SeDebugPrivilege 2072 msiexec.exe Token: SeAuditPrivilege 2072 msiexec.exe Token: SeSystemEnvironmentPrivilege 2072 msiexec.exe Token: SeChangeNotifyPrivilege 2072 msiexec.exe Token: SeRemoteShutdownPrivilege 2072 msiexec.exe Token: SeUndockPrivilege 2072 msiexec.exe Token: SeSyncAgentPrivilege 2072 msiexec.exe Token: SeEnableDelegationPrivilege 2072 msiexec.exe Token: SeManageVolumePrivilege 2072 msiexec.exe Token: SeImpersonatePrivilege 2072 msiexec.exe Token: SeCreateGlobalPrivilege 2072 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2072 msiexec.exe 2072 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3992 wrote to memory of 1448 3992 msiexec.exe 86 PID 3992 wrote to memory of 1448 3992 msiexec.exe 86 PID 3992 wrote to memory of 1448 3992 msiexec.exe 86
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0ec987a8cf5a6359a641bff9018fcfe1944309ac0037a1bfdfbb5fc3a5b7ce0b.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B43FB9001BEDE7D93271A2E7F791CBE92⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57df4ec21c6dade0eaee9a9b2d9b0124c
SHA1d77abd05f8b58957cfa001ea8179d3415c230a7a
SHA25653d673ec083d99f74a981258e8932db3691f26779b3b81bcfcf47c548bd9762b
SHA5121a62387d351f5e5467048687fb673f447124123f5e9cf2522319686b70e72d79a05becce1174d0112684fbe5a4f7a481e89391130327c96dc8fb728758f7e97d
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519