Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    44s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 18:39

General

  • Target

    x64_installer__v4.6.0.msi

  • Size

    34.2MB

  • MD5

    5272795582402dccea775dda61760529

  • SHA1

    2209ed8723742435012e1c500f6be10c8ffa7d16

  • SHA256

    c07ec4e1dd259f87f4939864be906470f912253e026d48980e05fc059685ca03

  • SHA512

    31eb5aeddd15431c29248589de1291ebe7dcfb88639c412fc886cd9726c3a1be90cdb4c29f83966c0427cb43120debafa5879f5e01bc8d258339e12cfcfea988

  • SSDEEP

    786432:et9FUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y6VJy0o:et957xVLYjsp+ikJ6Vho

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64_installer__v4.6.0.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2556
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DC311571D9297D630EF549BEADC11286
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f78546b.rbs

    Filesize

    24KB

    MD5

    2758ee24274111e3a50727ef7685658d

    SHA1

    46681562c550b936accbd397d558fbc4b8c5a693

    SHA256

    5a37af41bd15bc6a8e578546cd1942fba205397f78cd15dd003e4c94ab39d368

    SHA512

    775c1d8a30584dd8161069a34373197cfa1044e0153e95493612bad8b3ae15a56cfd8d7f9bf0848e21ec85d8ab011b965dfc8a6b1f6a6d8ac69994fbdeeab248

  • C:\Windows\Installer\MSI559F.tmp

    Filesize

    738KB

    MD5

    b158d8d605571ea47a238df5ab43dfaa

    SHA1

    bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

    SHA256

    ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

    SHA512

    56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

  • C:\Windows\Installer\MSI6B16.tmp

    Filesize

    364KB

    MD5

    54d74546c6afe67b3d118c3c477c159a

    SHA1

    957f08beb7e27e657cd83d8ee50388b887935fae

    SHA256

    f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

    SHA512

    d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

  • C:\Windows\Installer\f785467.msi

    Filesize

    34.2MB

    MD5

    5272795582402dccea775dda61760529

    SHA1

    2209ed8723742435012e1c500f6be10c8ffa7d16

    SHA256

    c07ec4e1dd259f87f4939864be906470f912253e026d48980e05fc059685ca03

    SHA512

    31eb5aeddd15431c29248589de1291ebe7dcfb88639c412fc886cd9726c3a1be90cdb4c29f83966c0427cb43120debafa5879f5e01bc8d258339e12cfcfea988