Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198.msi
Resource
win10v2004-20241007-en
General
-
Target
2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198.msi
-
Size
1.8MB
-
MD5
a08ac9d031b2c05b4ad646e76867f2c2
-
SHA1
49e8cd403932e528db6ab8fea229dac7dc2064af
-
SHA256
2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198
-
SHA512
3acdb495d5ecf2579d54e7fe30d4e3686f3aab65b6fbf3b39c9e73bead09bd9de422dc91baba45f235baef6c326b5d1c8a58d1e68b2c9ba62a1497f3378ee922
-
SSDEEP
24576:Kt9cpVDhmldE4LOTVE+2gDcVYBII/g7M3z:9pRhmkthkQIbM
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2044 ICACLS.EXE 1076 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\f769c9d.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\f769c9e.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f769c9d.msi msiexec.exe File created C:\Windows\Installer\f769c9e.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9D49.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe -
Loads dropped DLL 1 IoCs
pid Process 2436 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1916 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1264 msiexec.exe 1264 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 1916 msiexec.exe Token: SeIncreaseQuotaPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe Token: SeSecurityPrivilege 1264 msiexec.exe Token: SeCreateTokenPrivilege 1916 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1916 msiexec.exe Token: SeLockMemoryPrivilege 1916 msiexec.exe Token: SeIncreaseQuotaPrivilege 1916 msiexec.exe Token: SeMachineAccountPrivilege 1916 msiexec.exe Token: SeTcbPrivilege 1916 msiexec.exe Token: SeSecurityPrivilege 1916 msiexec.exe Token: SeTakeOwnershipPrivilege 1916 msiexec.exe Token: SeLoadDriverPrivilege 1916 msiexec.exe Token: SeSystemProfilePrivilege 1916 msiexec.exe Token: SeSystemtimePrivilege 1916 msiexec.exe Token: SeProfSingleProcessPrivilege 1916 msiexec.exe Token: SeIncBasePriorityPrivilege 1916 msiexec.exe Token: SeCreatePagefilePrivilege 1916 msiexec.exe Token: SeCreatePermanentPrivilege 1916 msiexec.exe Token: SeBackupPrivilege 1916 msiexec.exe Token: SeRestorePrivilege 1916 msiexec.exe Token: SeShutdownPrivilege 1916 msiexec.exe Token: SeDebugPrivilege 1916 msiexec.exe Token: SeAuditPrivilege 1916 msiexec.exe Token: SeSystemEnvironmentPrivilege 1916 msiexec.exe Token: SeChangeNotifyPrivilege 1916 msiexec.exe Token: SeRemoteShutdownPrivilege 1916 msiexec.exe Token: SeUndockPrivilege 1916 msiexec.exe Token: SeSyncAgentPrivilege 1916 msiexec.exe Token: SeEnableDelegationPrivilege 1916 msiexec.exe Token: SeManageVolumePrivilege 1916 msiexec.exe Token: SeImpersonatePrivilege 1916 msiexec.exe Token: SeCreateGlobalPrivilege 1916 msiexec.exe Token: SeBackupPrivilege 1052 vssvc.exe Token: SeRestorePrivilege 1052 vssvc.exe Token: SeAuditPrivilege 1052 vssvc.exe Token: SeBackupPrivilege 1264 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeLoadDriverPrivilege 2844 DrvInst.exe Token: SeLoadDriverPrivilege 2844 DrvInst.exe Token: SeLoadDriverPrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe Token: SeRestorePrivilege 1264 msiexec.exe Token: SeTakeOwnershipPrivilege 1264 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1916 msiexec.exe 1916 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 1264 wrote to memory of 2436 1264 msiexec.exe 34 PID 2436 wrote to memory of 2044 2436 MsiExec.exe 35 PID 2436 wrote to memory of 2044 2436 MsiExec.exe 35 PID 2436 wrote to memory of 2044 2436 MsiExec.exe 35 PID 2436 wrote to memory of 2044 2436 MsiExec.exe 35 PID 2436 wrote to memory of 1816 2436 MsiExec.exe 37 PID 2436 wrote to memory of 1816 2436 MsiExec.exe 37 PID 2436 wrote to memory of 1816 2436 MsiExec.exe 37 PID 2436 wrote to memory of 1816 2436 MsiExec.exe 37 PID 2436 wrote to memory of 2644 2436 MsiExec.exe 39 PID 2436 wrote to memory of 2644 2436 MsiExec.exe 39 PID 2436 wrote to memory of 2644 2436 MsiExec.exe 39 PID 2436 wrote to memory of 2644 2436 MsiExec.exe 39 PID 2436 wrote to memory of 2392 2436 MsiExec.exe 41 PID 2436 wrote to memory of 2392 2436 MsiExec.exe 41 PID 2436 wrote to memory of 2392 2436 MsiExec.exe 41 PID 2436 wrote to memory of 2392 2436 MsiExec.exe 41 PID 2436 wrote to memory of 1076 2436 MsiExec.exe 43 PID 2436 wrote to memory of 1076 2436 MsiExec.exe 43 PID 2436 wrote to memory of 1076 2436 MsiExec.exe 43 PID 2436 wrote to memory of 1076 2436 MsiExec.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 858E278B05B2C424315FDB43DF99C1562⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-182c8942-292f-471c-b9e1-edcdb85d0f63\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1816
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf3⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-182c8942-292f-471c-b9e1-edcdb85d0f63\files"3⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-182c8942-292f-471c-b9e1-edcdb85d0f63\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1076
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000005DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD56ea1c4d2c75ee362820e814110f3dc90
SHA16f73fda661df49c64f6d8d2b66bef5a2f1939775
SHA2568d1a7eafd0eb76d2aa0b522c6a98240489692fd1ca82565ad85d65be64b05d94
SHA5125335ac317d7aeb93f509f073442e65a5be2bf0aed5fd88839d69a6b72360560ed227975fac062ab8d2476074417288dfd53eddfb3b12667ae0a8677e73f7a495
-
Filesize
380B
MD5b5b927794f28e1332c390da32483545d
SHA19d51ac574c00ded72764260b114ac0449818ae39
SHA256d06fb9266e71db1b4fe0eac10d5a036e32a052b127ba9e50dcccde4a00edc19c
SHA512b91840bb2409c4c1aec98f4cc3bb2ba93ffce451affa6d3ac806058359d988743b8613647fb573775e97823db9e086c3f2bba42c2f71b7d4f6d9d2da3dbec6be
-
Filesize
1KB
MD5ff6d4e5cce4ebd61c584cf4296f2dbfd
SHA1f38216e03b9078f5d678df2b5954999e6ff4d184
SHA256ef06f5f476459829917b01821a4a2ff1414d44dcf19791ea5e57816969c877c3
SHA512b068947b2746d497db0838f407ff80dca2eb86e41a79d8d31942d964c469e9a14980d4f7ca36df4c4ff85ccb87733fc9681750dfce6be62528e2ae45e22b5e30
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108