Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/12/2024, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20241007-en
General
-
Target
setup.msi
-
Size
1.8MB
-
MD5
a08ac9d031b2c05b4ad646e76867f2c2
-
SHA1
49e8cd403932e528db6ab8fea229dac7dc2064af
-
SHA256
2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198
-
SHA512
3acdb495d5ecf2579d54e7fe30d4e3686f3aab65b6fbf3b39c9e73bead09bd9de422dc91baba45f235baef6c326b5d1c8a58d1e68b2c9ba62a1497f3378ee922
-
SSDEEP
24576:Kt9cpVDhmldE4LOTVE+2gDcVYBII/g7M3z:9pRhmkthkQIbM
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2792 ICACLS.EXE 3044 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI1120.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\f771036.msi msiexec.exe File opened for modification C:\Windows\Installer\f771036.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f771037.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f771037.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
Loads dropped DLL 1 IoCs
pid Process 2908 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2732 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2656 msiexec.exe 2656 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 2732 msiexec.exe Token: SeIncreaseQuotaPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeSecurityPrivilege 2656 msiexec.exe Token: SeCreateTokenPrivilege 2732 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2732 msiexec.exe Token: SeLockMemoryPrivilege 2732 msiexec.exe Token: SeIncreaseQuotaPrivilege 2732 msiexec.exe Token: SeMachineAccountPrivilege 2732 msiexec.exe Token: SeTcbPrivilege 2732 msiexec.exe Token: SeSecurityPrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeLoadDriverPrivilege 2732 msiexec.exe Token: SeSystemProfilePrivilege 2732 msiexec.exe Token: SeSystemtimePrivilege 2732 msiexec.exe Token: SeProfSingleProcessPrivilege 2732 msiexec.exe Token: SeIncBasePriorityPrivilege 2732 msiexec.exe Token: SeCreatePagefilePrivilege 2732 msiexec.exe Token: SeCreatePermanentPrivilege 2732 msiexec.exe Token: SeBackupPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeShutdownPrivilege 2732 msiexec.exe Token: SeDebugPrivilege 2732 msiexec.exe Token: SeAuditPrivilege 2732 msiexec.exe Token: SeSystemEnvironmentPrivilege 2732 msiexec.exe Token: SeChangeNotifyPrivilege 2732 msiexec.exe Token: SeRemoteShutdownPrivilege 2732 msiexec.exe Token: SeUndockPrivilege 2732 msiexec.exe Token: SeSyncAgentPrivilege 2732 msiexec.exe Token: SeEnableDelegationPrivilege 2732 msiexec.exe Token: SeManageVolumePrivilege 2732 msiexec.exe Token: SeImpersonatePrivilege 2732 msiexec.exe Token: SeCreateGlobalPrivilege 2732 msiexec.exe Token: SeBackupPrivilege 2776 vssvc.exe Token: SeRestorePrivilege 2776 vssvc.exe Token: SeAuditPrivilege 2776 vssvc.exe Token: SeBackupPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2564 DrvInst.exe Token: SeLoadDriverPrivilege 2564 DrvInst.exe Token: SeLoadDriverPrivilege 2564 DrvInst.exe Token: SeLoadDriverPrivilege 2564 DrvInst.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2732 msiexec.exe 2732 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2656 wrote to memory of 2908 2656 msiexec.exe 35 PID 2908 wrote to memory of 2792 2908 MsiExec.exe 36 PID 2908 wrote to memory of 2792 2908 MsiExec.exe 36 PID 2908 wrote to memory of 2792 2908 MsiExec.exe 36 PID 2908 wrote to memory of 2792 2908 MsiExec.exe 36 PID 2908 wrote to memory of 264 2908 MsiExec.exe 38 PID 2908 wrote to memory of 264 2908 MsiExec.exe 38 PID 2908 wrote to memory of 264 2908 MsiExec.exe 38 PID 2908 wrote to memory of 264 2908 MsiExec.exe 38 PID 2908 wrote to memory of 2972 2908 MsiExec.exe 40 PID 2908 wrote to memory of 2972 2908 MsiExec.exe 40 PID 2908 wrote to memory of 2972 2908 MsiExec.exe 40 PID 2908 wrote to memory of 2972 2908 MsiExec.exe 40 PID 2908 wrote to memory of 908 2908 MsiExec.exe 42 PID 2908 wrote to memory of 908 2908 MsiExec.exe 42 PID 2908 wrote to memory of 908 2908 MsiExec.exe 42 PID 2908 wrote to memory of 908 2908 MsiExec.exe 42 PID 2908 wrote to memory of 3044 2908 MsiExec.exe 44 PID 2908 wrote to memory of 3044 2908 MsiExec.exe 44 PID 2908 wrote to memory of 3044 2908 MsiExec.exe 44 PID 2908 wrote to memory of 3044 2908 MsiExec.exe 44 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 15D089D9ADA73274F58591CFB6E9DB032⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f217f8d7-20d3-4480-902e-0f5dd86ef5ec\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf3⤵
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-f217f8d7-20d3-4480-902e-0f5dd86ef5ec\files"3⤵
- System Location Discovery: System Language Discovery
PID:908
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f217f8d7-20d3-4480-902e-0f5dd86ef5ec\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3044
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002FC" "0000000000000568"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD56ea1c4d2c75ee362820e814110f3dc90
SHA16f73fda661df49c64f6d8d2b66bef5a2f1939775
SHA2568d1a7eafd0eb76d2aa0b522c6a98240489692fd1ca82565ad85d65be64b05d94
SHA5125335ac317d7aeb93f509f073442e65a5be2bf0aed5fd88839d69a6b72360560ed227975fac062ab8d2476074417288dfd53eddfb3b12667ae0a8677e73f7a495
-
Filesize
380B
MD546fddbca447b4380a0ed0c8e573cb942
SHA1bc154bf219d53bafd7c9aed89a829d05c8fcefdb
SHA25663364abf6beb77d8d07c514b8c3a96e83d50fe50fa592d4b79aa59c1a1875a2e
SHA5124ac6e20a253d068d14ef0c035f84a2df423c7f6f40341c1e702d78c70127ef4a33f061c849a54d18f22706a30c7d77f76a06f3925ca306e637e5b5114d5b96bd
-
Filesize
1KB
MD5155c56eba027b8b52ff5a2c67e18f2ba
SHA1a37c77df491a19bbfdf7d3a0a01bfd41512cd8ca
SHA2568bc8c88dd9729a55335e4353548f431bff4b4fc2ee292c5474687a3a576867e9
SHA512eb7e6f85b5e19fc84d6cb92e752a4ccb9dc6fda714f512923515e87b36a87f9551992af0e2878c34eceb39685d35dc788a500b7335be86e70a7137deeafdfd03
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108