Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3bderepair/...UX.dll
windows10-2004-x64
1bderepair/...ir.dll
windows10-2004-x64
1bderepair/...r2.dll
windows10-2004-x64
1dxilconv/H...ce.dll
windows10-2004-x64
1dxilconv/HvSocket.dll
windows10-2004-x64
1dxilconv/dwmscene.dll
windows10-2004-x64
1dxilconv/dxilconv.dll
windows10-2004-x64
1sbeio/AppV...UX.dll
windows10-2004-x64
1sbeio/aada...er.dll
windows10-2004-x64
1sbeio/sbeio.dll
windows10-2004-x64
1setbcdloca...pi.dll
windows10-2004-x64
1setbcdloca...nt.dll
windows10-2004-x64
1setbcdloca...le.dll
windows10-2004-x64
1setbcdloca...ce.dll
windows10-2004-x64
1user32/mfc42.dll
windows10-2004-x64
1user32/msv...00.dll
windows7-x64
1user32/msv...00.dll
windows10-2004-x64
1user32/regsvc.dll
windows10-2004-x64
1user32/user32.dll
windows10-2004-x64
1x64_instal....0.msi
windows7-x64
6x64_instal....0.msi
windows10-2004-x64
6Analysis
-
max time kernel
138s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
bderepair/ConsentUX.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
bderepair/bderepair.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
bderepair/configmanager2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
dxilconv/HttpsDataSource.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dxilconv/HvSocket.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
dxilconv/dwmscene.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
dxilconv/dxilconv.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
sbeio/AppVStreamingUX.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
sbeio/aadauthhelper.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
sbeio/sbeio.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
setbcdlocale/SensorsNativeApi.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
setbcdlocale/Windows.Internal.Graphics.Display.DisplayEnhancementManagement.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
setbcdlocale/setbcdlocale.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
setbcdlocale/windows.internal.shellcommon.AccountsControlExperience.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
user32/mfc42.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
user32/msvcr120_clr0400.dll
Resource
win7-20240704-en
Behavioral task
behavioral17
Sample
user32/msvcr120_clr0400.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
user32/regsvc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
user32/user32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
x64_installer__v4.6.0.msi
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
x64_installer__v4.6.0.msi
Resource
win10v2004-20240802-en
General
-
Target
x64_installer__v4.6.0.msi
-
Size
34.2MB
-
MD5
5272795582402dccea775dda61760529
-
SHA1
2209ed8723742435012e1c500f6be10c8ffa7d16
-
SHA256
c07ec4e1dd259f87f4939864be906470f912253e026d48980e05fc059685ca03
-
SHA512
31eb5aeddd15431c29248589de1291ebe7dcfb88639c412fc886cd9726c3a1be90cdb4c29f83966c0427cb43120debafa5879f5e01bc8d258339e12cfcfea988
-
SSDEEP
786432:et9FUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y6VJy0o:et957xVLYjsp+ikJ6Vho
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 22 264 MsiExec.exe 24 264 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIC296.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC0DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDAA7.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDF1C.tmp msiexec.exe File created C:\Windows\Installer\e57c056.msi msiexec.exe File opened for modification C:\Windows\Installer\e57c052.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC314.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA57.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{899ABA1A-C3F2-4E09-8549-EE913E5CB7E5} msiexec.exe File created C:\Windows\Installer\e57c052.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC238.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Loads dropped DLL 7 IoCs
pid Process 264 MsiExec.exe 264 MsiExec.exe 264 MsiExec.exe 264 MsiExec.exe 264 MsiExec.exe 264 MsiExec.exe 264 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3864 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4388 msiexec.exe 4388 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3864 msiexec.exe Token: SeIncreaseQuotaPrivilege 3864 msiexec.exe Token: SeSecurityPrivilege 4388 msiexec.exe Token: SeCreateTokenPrivilege 3864 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3864 msiexec.exe Token: SeLockMemoryPrivilege 3864 msiexec.exe Token: SeIncreaseQuotaPrivilege 3864 msiexec.exe Token: SeMachineAccountPrivilege 3864 msiexec.exe Token: SeTcbPrivilege 3864 msiexec.exe Token: SeSecurityPrivilege 3864 msiexec.exe Token: SeTakeOwnershipPrivilege 3864 msiexec.exe Token: SeLoadDriverPrivilege 3864 msiexec.exe Token: SeSystemProfilePrivilege 3864 msiexec.exe Token: SeSystemtimePrivilege 3864 msiexec.exe Token: SeProfSingleProcessPrivilege 3864 msiexec.exe Token: SeIncBasePriorityPrivilege 3864 msiexec.exe Token: SeCreatePagefilePrivilege 3864 msiexec.exe Token: SeCreatePermanentPrivilege 3864 msiexec.exe Token: SeBackupPrivilege 3864 msiexec.exe Token: SeRestorePrivilege 3864 msiexec.exe Token: SeShutdownPrivilege 3864 msiexec.exe Token: SeDebugPrivilege 3864 msiexec.exe Token: SeAuditPrivilege 3864 msiexec.exe Token: SeSystemEnvironmentPrivilege 3864 msiexec.exe Token: SeChangeNotifyPrivilege 3864 msiexec.exe Token: SeRemoteShutdownPrivilege 3864 msiexec.exe Token: SeUndockPrivilege 3864 msiexec.exe Token: SeSyncAgentPrivilege 3864 msiexec.exe Token: SeEnableDelegationPrivilege 3864 msiexec.exe Token: SeManageVolumePrivilege 3864 msiexec.exe Token: SeImpersonatePrivilege 3864 msiexec.exe Token: SeCreateGlobalPrivilege 3864 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3864 msiexec.exe 3864 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4388 wrote to memory of 264 4388 msiexec.exe 88 PID 4388 wrote to memory of 264 4388 msiexec.exe 88 PID 4388 wrote to memory of 264 4388 msiexec.exe 88
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64_installer__v4.6.0.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3864
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 38AD67E5F7B7CCFA00453003902E05212⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD577a4339096ff99783e3486fc60a76306
SHA1c04658ce7de6e0f4f83cd62e9a2d494e521bb754
SHA25606784d33508977aace62d0104fcdf05500562b7c456b93f1aabdefbd93489027
SHA5123ad0ee2a2f66d50c49cef1f07a1fffe72f7caaa4a4d3d6bfa0d58a0c2b37edfa68f7a1049da63f8bc02d88a4c4da800fd38a0d234b227db6b870d13230347584
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
Filesize
34.2MB
MD55272795582402dccea775dda61760529
SHA12209ed8723742435012e1c500f6be10c8ffa7d16
SHA256c07ec4e1dd259f87f4939864be906470f912253e026d48980e05fc059685ca03
SHA51231eb5aeddd15431c29248589de1291ebe7dcfb88639c412fc886cd9726c3a1be90cdb4c29f83966c0427cb43120debafa5879f5e01bc8d258339e12cfcfea988