Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 10:01
Static task
static1
Behavioral task
behavioral1
Sample
NewRelicAgent_x64_8.24.244.0.msi
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NewRelicAgent_x64_8.24.244.0.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NewRelicAgent_x64_8.24.244.0.msi
-
Size
4.9MB
-
MD5
0427777291730ea30290cca53df5dedb
-
SHA1
70e1cc66843a5c8a9631b20555d3cf2b5b9a9630
-
SHA256
ead0577e228789bfd4f57dd1a277c1393d150f05977340fffdc682e300603453
-
SHA512
9705055b3ab155e50b86c168e6c328fd0858446e26beb5d3a57098734768faaf36b253ad47e78cf72003e1ef63a6a0185828bfe7af93d99966e4771d7aa4901b
-
SSDEEP
98304:f711NIX5Cu4OTwN0yqhcIzin+d8ZNQr0x61qPd6:f71fYT4hyWeDdlrMd
Score
6/10
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 3 2112 msiexec.exe 5 2112 msiexec.exe 7 2112 msiexec.exe 9 2112 msiexec.exe 11 2112 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Loads dropped DLL 4 IoCs
pid Process 1748 MsiExec.exe 620 rundll32.exe 620 rundll32.exe 620 rundll32.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2112 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2112 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2112 msiexec.exe Token: SeIncreaseQuotaPrivilege 2112 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeSecurityPrivilege 2288 msiexec.exe Token: SeCreateTokenPrivilege 2112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2112 msiexec.exe Token: SeLockMemoryPrivilege 2112 msiexec.exe Token: SeIncreaseQuotaPrivilege 2112 msiexec.exe Token: SeMachineAccountPrivilege 2112 msiexec.exe Token: SeTcbPrivilege 2112 msiexec.exe Token: SeSecurityPrivilege 2112 msiexec.exe Token: SeTakeOwnershipPrivilege 2112 msiexec.exe Token: SeLoadDriverPrivilege 2112 msiexec.exe Token: SeSystemProfilePrivilege 2112 msiexec.exe Token: SeSystemtimePrivilege 2112 msiexec.exe Token: SeProfSingleProcessPrivilege 2112 msiexec.exe Token: SeIncBasePriorityPrivilege 2112 msiexec.exe Token: SeCreatePagefilePrivilege 2112 msiexec.exe Token: SeCreatePermanentPrivilege 2112 msiexec.exe Token: SeBackupPrivilege 2112 msiexec.exe Token: SeRestorePrivilege 2112 msiexec.exe Token: SeShutdownPrivilege 2112 msiexec.exe Token: SeDebugPrivilege 2112 msiexec.exe Token: SeAuditPrivilege 2112 msiexec.exe Token: SeSystemEnvironmentPrivilege 2112 msiexec.exe Token: SeChangeNotifyPrivilege 2112 msiexec.exe Token: SeRemoteShutdownPrivilege 2112 msiexec.exe Token: SeUndockPrivilege 2112 msiexec.exe Token: SeSyncAgentPrivilege 2112 msiexec.exe Token: SeEnableDelegationPrivilege 2112 msiexec.exe Token: SeManageVolumePrivilege 2112 msiexec.exe Token: SeImpersonatePrivilege 2112 msiexec.exe Token: SeCreateGlobalPrivilege 2112 msiexec.exe Token: SeCreateTokenPrivilege 2112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2112 msiexec.exe Token: SeLockMemoryPrivilege 2112 msiexec.exe Token: SeIncreaseQuotaPrivilege 2112 msiexec.exe Token: SeMachineAccountPrivilege 2112 msiexec.exe Token: SeTcbPrivilege 2112 msiexec.exe Token: SeSecurityPrivilege 2112 msiexec.exe Token: SeTakeOwnershipPrivilege 2112 msiexec.exe Token: SeLoadDriverPrivilege 2112 msiexec.exe Token: SeSystemProfilePrivilege 2112 msiexec.exe Token: SeSystemtimePrivilege 2112 msiexec.exe Token: SeProfSingleProcessPrivilege 2112 msiexec.exe Token: SeIncBasePriorityPrivilege 2112 msiexec.exe Token: SeCreatePagefilePrivilege 2112 msiexec.exe Token: SeCreatePermanentPrivilege 2112 msiexec.exe Token: SeBackupPrivilege 2112 msiexec.exe Token: SeRestorePrivilege 2112 msiexec.exe Token: SeShutdownPrivilege 2112 msiexec.exe Token: SeDebugPrivilege 2112 msiexec.exe Token: SeAuditPrivilege 2112 msiexec.exe Token: SeSystemEnvironmentPrivilege 2112 msiexec.exe Token: SeChangeNotifyPrivilege 2112 msiexec.exe Token: SeRemoteShutdownPrivilege 2112 msiexec.exe Token: SeUndockPrivilege 2112 msiexec.exe Token: SeSyncAgentPrivilege 2112 msiexec.exe Token: SeEnableDelegationPrivilege 2112 msiexec.exe Token: SeManageVolumePrivilege 2112 msiexec.exe Token: SeImpersonatePrivilege 2112 msiexec.exe Token: SeCreateGlobalPrivilege 2112 msiexec.exe Token: SeCreateTokenPrivilege 2112 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2112 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1748 2288 msiexec.exe 32 PID 2288 wrote to memory of 1748 2288 msiexec.exe 32 PID 2288 wrote to memory of 1748 2288 msiexec.exe 32 PID 2288 wrote to memory of 1748 2288 msiexec.exe 32 PID 2288 wrote to memory of 1748 2288 msiexec.exe 32 PID 1748 wrote to memory of 620 1748 MsiExec.exe 33 PID 1748 wrote to memory of 620 1748 MsiExec.exe 33 PID 1748 wrote to memory of 620 1748 MsiExec.exe 33
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NewRelicAgent_x64_8.24.244.0.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2112
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding E929745CA0A5AD38F4B21C9F530EDBD0 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIE682.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259516071 1 InstallerActions!InstallerActions.CustomActions.FindPreviousLicenseKey3⤵
- Loads dropped DLL
PID:620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
280KB
MD5a7582a6ab33366a0490e1b1ef5c4437b
SHA1d3dee52275b3395acdd3e6d270d31b602025909d
SHA256eaf2fdb4eaca6029c83792bbe45b84ffcdaabe6edc5a6e53a27f0f3108ab570b
SHA512cbe18fd099b543bc41bedb96d28f2e285ec5b1357a2bef5b63b63fbc9174dceebe2c66d51823b70a152b9928cd86d71aba3ddf5579dd56b9d85aca5e28e03684
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5d683ce7331b020e979640ae55cd2d2aa
SHA128425e4b6b53cbe791d36793d417937e4155967a
SHA2562d798e86641b83ba8845e5630fa500cb802b26ad66eed2c09bf216c2f785ed86
SHA512122e9dd7854cf636ce357ce22854a788267993af0424c4a48effcb7ad6d7b8c4e4d20c4ff111390172db833908f703e2c25b517d1b2ae5f0282ffcf70e937f1f