Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
4593c894a43a01d0953bb09d2fa03e0feb994efaf562d4ce07b8d31d01a6c75b.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4593c894a43a01d0953bb09d2fa03e0feb994efaf562d4ce07b8d31d01a6c75b.msi
Resource
win10v2004-20241007-en
General
-
Target
4593c894a43a01d0953bb09d2fa03e0feb994efaf562d4ce07b8d31d01a6c75b.msi
-
Size
1.9MB
-
MD5
2410d9594d6eba5993709ca37061dea3
-
SHA1
68c304fd67d32d3466fe89fb4fb0283914969b50
-
SHA256
4593c894a43a01d0953bb09d2fa03e0feb994efaf562d4ce07b8d31d01a6c75b
-
SHA512
886751dc1bc0b904cd045d68d48df4cc34e695142a76a419f8161326d7fcb09fa1ad987355828a2a41dbb382e78e662c2b4b84bf577976adab461a860fe29a6b
-
SSDEEP
24576:Gt9cpVDhH6GBnZF+e8B8jfJ+YQB1gBcnxl/dHRd/zJ/r:ppRhaynv+e9fJ+R+Bc3pf/zJ/r
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3568 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\e57ef32.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEFFD.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57ef32.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{D89DE446-0274-4C44-A05C-B66A999A5385} msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE -
Executes dropped EXE 1 IoCs
pid Process 2512 install.exe -
Loads dropped DLL 1 IoCs
pid Process 864 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4484 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3208 msiexec.exe 3208 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 4484 msiexec.exe Token: SeIncreaseQuotaPrivilege 4484 msiexec.exe Token: SeSecurityPrivilege 3208 msiexec.exe Token: SeCreateTokenPrivilege 4484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4484 msiexec.exe Token: SeLockMemoryPrivilege 4484 msiexec.exe Token: SeIncreaseQuotaPrivilege 4484 msiexec.exe Token: SeMachineAccountPrivilege 4484 msiexec.exe Token: SeTcbPrivilege 4484 msiexec.exe Token: SeSecurityPrivilege 4484 msiexec.exe Token: SeTakeOwnershipPrivilege 4484 msiexec.exe Token: SeLoadDriverPrivilege 4484 msiexec.exe Token: SeSystemProfilePrivilege 4484 msiexec.exe Token: SeSystemtimePrivilege 4484 msiexec.exe Token: SeProfSingleProcessPrivilege 4484 msiexec.exe Token: SeIncBasePriorityPrivilege 4484 msiexec.exe Token: SeCreatePagefilePrivilege 4484 msiexec.exe Token: SeCreatePermanentPrivilege 4484 msiexec.exe Token: SeBackupPrivilege 4484 msiexec.exe Token: SeRestorePrivilege 4484 msiexec.exe Token: SeShutdownPrivilege 4484 msiexec.exe Token: SeDebugPrivilege 4484 msiexec.exe Token: SeAuditPrivilege 4484 msiexec.exe Token: SeSystemEnvironmentPrivilege 4484 msiexec.exe Token: SeChangeNotifyPrivilege 4484 msiexec.exe Token: SeRemoteShutdownPrivilege 4484 msiexec.exe Token: SeUndockPrivilege 4484 msiexec.exe Token: SeSyncAgentPrivilege 4484 msiexec.exe Token: SeEnableDelegationPrivilege 4484 msiexec.exe Token: SeManageVolumePrivilege 4484 msiexec.exe Token: SeImpersonatePrivilege 4484 msiexec.exe Token: SeCreateGlobalPrivilege 4484 msiexec.exe Token: SeBackupPrivilege 2352 vssvc.exe Token: SeRestorePrivilege 2352 vssvc.exe Token: SeAuditPrivilege 2352 vssvc.exe Token: SeBackupPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeRestorePrivilege 3208 msiexec.exe Token: SeTakeOwnershipPrivilege 3208 msiexec.exe Token: SeBackupPrivilege 4580 srtasks.exe Token: SeRestorePrivilege 4580 srtasks.exe Token: SeSecurityPrivilege 4580 srtasks.exe Token: SeTakeOwnershipPrivilege 4580 srtasks.exe Token: SeBackupPrivilege 4580 srtasks.exe Token: SeRestorePrivilege 4580 srtasks.exe Token: SeSecurityPrivilege 4580 srtasks.exe Token: SeTakeOwnershipPrivilege 4580 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4484 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3208 wrote to memory of 4580 3208 msiexec.exe 92 PID 3208 wrote to memory of 4580 3208 msiexec.exe 92 PID 3208 wrote to memory of 864 3208 msiexec.exe 94 PID 3208 wrote to memory of 864 3208 msiexec.exe 94 PID 3208 wrote to memory of 864 3208 msiexec.exe 94 PID 864 wrote to memory of 3568 864 MsiExec.exe 95 PID 864 wrote to memory of 3568 864 MsiExec.exe 95 PID 864 wrote to memory of 3568 864 MsiExec.exe 95 PID 864 wrote to memory of 752 864 MsiExec.exe 97 PID 864 wrote to memory of 752 864 MsiExec.exe 97 PID 864 wrote to memory of 752 864 MsiExec.exe 97 PID 864 wrote to memory of 2512 864 MsiExec.exe 101 PID 864 wrote to memory of 2512 864 MsiExec.exe 101 PID 864 wrote to memory of 2512 864 MsiExec.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4593c894a43a01d0953bb09d2fa03e0feb994efaf562d4ce07b8d31d01a6c75b.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4484
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 36A9F65BC0103396FEB54DFA0E1088652⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3628407a-d551-42cc-af30-00af8f494bf8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3568
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\MW-3628407a-d551-42cc-af30-00af8f494bf8\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-3628407a-d551-42cc-af30-00af8f494bf8\files\install.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD55a33ddb13353a0b3059f341197b9d6dd
SHA103f6c968a5142d5a149d0e7f907e551a456647c9
SHA25663e81609f87def0ed7f9d6cdf22df0228e6fabceab2982c15a87390d3eedab8c
SHA5127897011636fd793ce996c39bc98d067821db3623bb289a318faeb0c16af9db4cda10c47288003fdd866bbfcf94e0337d0dab154803d03b530c2fc5f7e6a15b79
-
Filesize
344B
MD5ef016925926f42f3c4c8582af6ca4fa8
SHA1b81cbc4414564a64ceb9c2a076d62564dfdbb394
SHA256846e14f6ef30528c19a31355815e41d4e484ea841af0e82c81e0be5bf6f1e327
SHA512e1aa55b2d92f35c363e7b44ee613196c1c601e92cb7bd210cdf4c9987ea85a4294e041311f999fbccf6f4e402a936635c1b2187df0d9349698591fc11977fce0
-
Filesize
1KB
MD504b8667806c7be628809fd3bc397bc92
SHA11ac2dfed5564d2ad73872247e80e2da2868d0628
SHA2569b7498142c00628358154852ea9d928128c61991b8dfee18042898759bacc1b8
SHA5124d6e851412efe9644c693a1b7c776a57c1236ec272ca01667f193f2e4bc75b282502fa8726d8dfad87fec54d1f87cf8eed831b132f84c0fdb8f7e2340a2281ca
-
Filesize
1KB
MD59d79f2e633408f3c3120dc3e8c93447e
SHA1e2847ecc540d1d354e21cad63e558d8c2b2f5b13
SHA256941d0b8b64209f024d546ef6b022d524e2ea58b53232fb6af9ba41900c0883a9
SHA51214d3e3d8e09572e84032509b2f3b64d4252c8d72f083230cd882bb82cf993d9668c6af9a06a4c6b578b0aa4dc234e22a7ad900d813407eee753c895e7ae354ca
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
24.1MB
MD538bda5e1e7e96e600350a73a57af1729
SHA1ad0b34443d631de6ecf6b6e9e901540ee50d90a6
SHA2563da150a3382880e6ef0caed46f1ae47c8a3a3b6332d6c8c524e9a060fcd7f65c
SHA5125534304e9e8aa5551f406b7ae7b73dc6094759ada61c415aa503ef23f883d25e2aa3fc0b8ae93e6de278115b7fec397accb7eca8cb4bfc36427f6f3109442cc7
-
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f6996c07-73ef-4e70-bfd6-59548d8fcb73}_OnDiskSnapshotProp
Filesize6KB
MD53e7503fe50f9bab261590c99479d7704
SHA1978d5fabded696aa82f0eb87b70552cb193b859b
SHA256129a37ecaa4fad5568d63ee345030e3217d755d187c93c00fb8dd4ea47610971
SHA5129db67ff85e42f7d57fa05938ffa91430f0d30b32ebac7578f2807493dc1b4daaa03c679cfc0661e4b4f1c92ed2e40418dfed27c9663981b3f0af6efa14b4fe8c