Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 15:39
Static task
static1
Behavioral task
behavioral1
Sample
45a56a51bffca8d36b068af78dbc6aa6.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
45a56a51bffca8d36b068af78dbc6aa6.msi
Resource
win10v2004-20250129-en
General
-
Target
45a56a51bffca8d36b068af78dbc6aa6.msi
-
Size
2.0MB
-
MD5
45a56a51bffca8d36b068af78dbc6aa6
-
SHA1
a694ba66def8d702feb337a234f0ab4e562efeda
-
SHA256
6984a8e300e9a3aee123a340299b813134c89bd7e4c91793321643e6ecdef9ae
-
SHA512
4b599573283efa10442645bc9da7a924f17407e369f80c15c8bb81e633e4d6c4a171391e4126292b1421aefcc2d702c305eb0e9f8a644d83f4f7acf09028c9da
-
SSDEEP
24576:Xt9cpVDhcq0eKeBDnhGDmov3c7XiLnhAHpi5Ko2ujKq:ApRhcOKeBDcDOyLhA4rm
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1340 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76e070.msi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\f76e070.msi msiexec.exe File created C:\Windows\Installer\f76e071.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE14A.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE -
Executes dropped EXE 1 IoCs
pid Process 1060 setup.exe -
Loads dropped DLL 4 IoCs
pid Process 808 MsiExec.exe 808 MsiExec.exe 808 MsiExec.exe 808 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1976 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2464 msiexec.exe 2464 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 1976 msiexec.exe Token: SeIncreaseQuotaPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeSecurityPrivilege 2464 msiexec.exe Token: SeCreateTokenPrivilege 1976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1976 msiexec.exe Token: SeLockMemoryPrivilege 1976 msiexec.exe Token: SeIncreaseQuotaPrivilege 1976 msiexec.exe Token: SeMachineAccountPrivilege 1976 msiexec.exe Token: SeTcbPrivilege 1976 msiexec.exe Token: SeSecurityPrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeLoadDriverPrivilege 1976 msiexec.exe Token: SeSystemProfilePrivilege 1976 msiexec.exe Token: SeSystemtimePrivilege 1976 msiexec.exe Token: SeProfSingleProcessPrivilege 1976 msiexec.exe Token: SeIncBasePriorityPrivilege 1976 msiexec.exe Token: SeCreatePagefilePrivilege 1976 msiexec.exe Token: SeCreatePermanentPrivilege 1976 msiexec.exe Token: SeBackupPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeShutdownPrivilege 1976 msiexec.exe Token: SeDebugPrivilege 1976 msiexec.exe Token: SeAuditPrivilege 1976 msiexec.exe Token: SeSystemEnvironmentPrivilege 1976 msiexec.exe Token: SeChangeNotifyPrivilege 1976 msiexec.exe Token: SeRemoteShutdownPrivilege 1976 msiexec.exe Token: SeUndockPrivilege 1976 msiexec.exe Token: SeSyncAgentPrivilege 1976 msiexec.exe Token: SeEnableDelegationPrivilege 1976 msiexec.exe Token: SeManageVolumePrivilege 1976 msiexec.exe Token: SeImpersonatePrivilege 1976 msiexec.exe Token: SeCreateGlobalPrivilege 1976 msiexec.exe Token: SeBackupPrivilege 2428 vssvc.exe Token: SeRestorePrivilege 2428 vssvc.exe Token: SeAuditPrivilege 2428 vssvc.exe Token: SeBackupPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2640 DrvInst.exe Token: SeLoadDriverPrivilege 2640 DrvInst.exe Token: SeLoadDriverPrivilege 2640 DrvInst.exe Token: SeLoadDriverPrivilege 2640 DrvInst.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe Token: SeRestorePrivilege 2464 msiexec.exe Token: SeTakeOwnershipPrivilege 2464 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1976 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 2464 wrote to memory of 808 2464 msiexec.exe 35 PID 808 wrote to memory of 1340 808 MsiExec.exe 36 PID 808 wrote to memory of 1340 808 MsiExec.exe 36 PID 808 wrote to memory of 1340 808 MsiExec.exe 36 PID 808 wrote to memory of 1340 808 MsiExec.exe 36 PID 808 wrote to memory of 1944 808 MsiExec.exe 38 PID 808 wrote to memory of 1944 808 MsiExec.exe 38 PID 808 wrote to memory of 1944 808 MsiExec.exe 38 PID 808 wrote to memory of 1944 808 MsiExec.exe 38 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 PID 808 wrote to memory of 1060 808 MsiExec.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\45a56a51bffca8d36b068af78dbc6aa6.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1976
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C129765949A3C096A7C1C2814656B2F82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-65991207-913a-441b-b83e-0a93875a4394\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1340
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\MW-65991207-913a-441b-b83e-0a93875a4394\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\MW-65991207-913a-441b-b83e-0a93875a4394\files\setup.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002A8" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5df5cc7b5707ecf44d429585c625d5b7f
SHA1a837d6b536151c31b412b81f06da995b746c02c1
SHA256cce10adeed7eace3be7434312279923db0c3f79a71a48b985aca9e3c7d585a2e
SHA512bca1581078da37ec204ba7c32410528908b3b701a83bf73659897387b20766e99d23aa9ad4830cc61a2e7a066394b4fbbe8fd2a3968580494a8c7f593ed2e0d1
-
Filesize
1KB
MD52347236c30676b6719f7f08e23d16688
SHA12ff481e85790028a269e8687808c98a8c5783a81
SHA2566bc7f57c4a6bc19915ffa1efe4b5ff7e74e0fd9353710457b1d5dd9ae5a742f5
SHA512dd5766d9f161a26465eec58c155ad84afe807820cb2feb61652a9609cb5a3a34c33b015424068bca994f2abecd5a9fa411f0d479c9e937c4505d22bfdd3036a1
-
Filesize
1KB
MD59da5734a039327698841826942b4a702
SHA1a924bd643e118d3196ba30d1b967615d056790d3
SHA2561b553d7d783ccd8abb05b0ddc09fb9f55f7c5caf77460fdfd5bf14f85624f8aa
SHA512b8d4edf27f318ec34182de1029ac7f51c41a9f489eba10f2937845c6963946d0a9647ba9860b03367003e62c72205a5c37db8d0a9339b6746a9a84df0d89718a
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108