Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3bderepair/...UX.dll
windows10-2004-x64
1bderepair/...ir.dll
windows10-2004-x64
1bderepair/...r2.dll
windows10-2004-x64
1dxilconv/H...ce.dll
windows10-2004-x64
1dxilconv/HvSocket.dll
windows10-2004-x64
1dxilconv/dwmscene.dll
windows10-2004-x64
1dxilconv/dxilconv.dll
windows10-2004-x64
1sbeio/AppV...UX.dll
windows10-2004-x64
1sbeio/aada...er.dll
windows10-2004-x64
1sbeio/sbeio.dll
windows10-2004-x64
1setbcdloca...pi.dll
windows10-2004-x64
1setbcdloca...nt.dll
windows10-2004-x64
1setbcdloca...le.dll
windows10-2004-x64
1setbcdloca...ce.dll
windows10-2004-x64
1user32/mfc42.dll
windows10-2004-x64
1user32/msv...00.dll
windows7-x64
1user32/msv...00.dll
windows10-2004-x64
1user32/regsvc.dll
windows10-2004-x64
1user32/user32.dll
windows10-2004-x64
1x64_instal....0.msi
windows7-x64
6x64_instal....0.msi
windows10-2004-x64
6Analysis
-
max time kernel
44s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
bderepair/ConsentUX.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
bderepair/bderepair.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
bderepair/configmanager2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
dxilconv/HttpsDataSource.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
dxilconv/HvSocket.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
dxilconv/dwmscene.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
dxilconv/dxilconv.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
sbeio/AppVStreamingUX.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
sbeio/aadauthhelper.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
sbeio/sbeio.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
setbcdlocale/SensorsNativeApi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
setbcdlocale/Windows.Internal.Graphics.Display.DisplayEnhancementManagement.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
setbcdlocale/setbcdlocale.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
setbcdlocale/windows.internal.shellcommon.AccountsControlExperience.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
user32/mfc42.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
user32/msvcr120_clr0400.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral17
Sample
user32/msvcr120_clr0400.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
user32/regsvc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
user32/user32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
x64_installer__v4.6.0.msi
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral21
Sample
x64_installer__v4.6.0.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
x64_installer__v4.6.0.msi
-
Size
34.2MB
-
MD5
5272795582402dccea775dda61760529
-
SHA1
2209ed8723742435012e1c500f6be10c8ffa7d16
-
SHA256
c07ec4e1dd259f87f4939864be906470f912253e026d48980e05fc059685ca03
-
SHA512
31eb5aeddd15431c29248589de1291ebe7dcfb88639c412fc886cd9726c3a1be90cdb4c29f83966c0427cb43120debafa5879f5e01bc8d258339e12cfcfea988
-
SSDEEP
786432:et9FUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y6VJy0o:et957xVLYjsp+ikJ6Vho
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 1144 MsiExec.exe 7 1144 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI57A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6B16.tmp msiexec.exe File created C:\Windows\Installer\f78546a.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f785467.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI559F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI58BD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6A1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FCF.tmp msiexec.exe File created C:\Windows\Installer\f78546c.msi msiexec.exe File opened for modification C:\Windows\Installer\f78546a.ipi msiexec.exe File opened for modification C:\Windows\Installer\f785467.msi msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 1144 MsiExec.exe 1144 MsiExec.exe 1144 MsiExec.exe 1144 MsiExec.exe 1144 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2556 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 968 msiexec.exe 968 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2556 msiexec.exe Token: SeIncreaseQuotaPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeSecurityPrivilege 968 msiexec.exe Token: SeCreateTokenPrivilege 2556 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2556 msiexec.exe Token: SeLockMemoryPrivilege 2556 msiexec.exe Token: SeIncreaseQuotaPrivilege 2556 msiexec.exe Token: SeMachineAccountPrivilege 2556 msiexec.exe Token: SeTcbPrivilege 2556 msiexec.exe Token: SeSecurityPrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeLoadDriverPrivilege 2556 msiexec.exe Token: SeSystemProfilePrivilege 2556 msiexec.exe Token: SeSystemtimePrivilege 2556 msiexec.exe Token: SeProfSingleProcessPrivilege 2556 msiexec.exe Token: SeIncBasePriorityPrivilege 2556 msiexec.exe Token: SeCreatePagefilePrivilege 2556 msiexec.exe Token: SeCreatePermanentPrivilege 2556 msiexec.exe Token: SeBackupPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeShutdownPrivilege 2556 msiexec.exe Token: SeDebugPrivilege 2556 msiexec.exe Token: SeAuditPrivilege 2556 msiexec.exe Token: SeSystemEnvironmentPrivilege 2556 msiexec.exe Token: SeChangeNotifyPrivilege 2556 msiexec.exe Token: SeRemoteShutdownPrivilege 2556 msiexec.exe Token: SeUndockPrivilege 2556 msiexec.exe Token: SeSyncAgentPrivilege 2556 msiexec.exe Token: SeEnableDelegationPrivilege 2556 msiexec.exe Token: SeManageVolumePrivilege 2556 msiexec.exe Token: SeImpersonatePrivilege 2556 msiexec.exe Token: SeCreateGlobalPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe Token: SeRestorePrivilege 968 msiexec.exe Token: SeTakeOwnershipPrivilege 968 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2556 msiexec.exe 2556 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 968 wrote to memory of 1144 968 msiexec.exe 30 PID 968 wrote to memory of 1144 968 msiexec.exe 30 PID 968 wrote to memory of 1144 968 msiexec.exe 30 PID 968 wrote to memory of 1144 968 msiexec.exe 30 PID 968 wrote to memory of 1144 968 msiexec.exe 30 PID 968 wrote to memory of 1144 968 msiexec.exe 30 PID 968 wrote to memory of 1144 968 msiexec.exe 30
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64_installer__v4.6.0.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2556
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC311571D9297D630EF549BEADC112862⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD52758ee24274111e3a50727ef7685658d
SHA146681562c550b936accbd397d558fbc4b8c5a693
SHA2565a37af41bd15bc6a8e578546cd1942fba205397f78cd15dd003e4c94ab39d368
SHA512775c1d8a30584dd8161069a34373197cfa1044e0153e95493612bad8b3ae15a56cfd8d7f9bf0848e21ec85d8ab011b965dfc8a6b1f6a6d8ac69994fbdeeab248
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
Filesize
34.2MB
MD55272795582402dccea775dda61760529
SHA12209ed8723742435012e1c500f6be10c8ffa7d16
SHA256c07ec4e1dd259f87f4939864be906470f912253e026d48980e05fc059685ca03
SHA51231eb5aeddd15431c29248589de1291ebe7dcfb88639c412fc886cd9726c3a1be90cdb4c29f83966c0427cb43120debafa5879f5e01bc8d258339e12cfcfea988