Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
CryptocommSetup.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
CryptocommSetup.msi
Resource
win10v2004-20250217-en
General
-
Target
CryptocommSetup.msi
-
Size
5.3MB
-
MD5
b6a96e71ad5c0f9b96b2f1d7021e4e09
-
SHA1
73eabaad78c61de825ed0c8bec9e3b81f5568dbd
-
SHA256
834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9
-
SHA512
bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800
-
SSDEEP
98304:/Hrk3bVI2OzboNeQBWkl43yRev9CcTnuKLFKcwD8OfL4vWmCP82wajDOOInENX:jsq5zboN6F9BLuuKcxOfL4vW225jDOO/
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 560 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 560 msiexec.exe Token: SeIncreaseQuotaPrivilege 560 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeCreateTokenPrivilege 560 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 560 msiexec.exe Token: SeLockMemoryPrivilege 560 msiexec.exe Token: SeIncreaseQuotaPrivilege 560 msiexec.exe Token: SeMachineAccountPrivilege 560 msiexec.exe Token: SeTcbPrivilege 560 msiexec.exe Token: SeSecurityPrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeLoadDriverPrivilege 560 msiexec.exe Token: SeSystemProfilePrivilege 560 msiexec.exe Token: SeSystemtimePrivilege 560 msiexec.exe Token: SeProfSingleProcessPrivilege 560 msiexec.exe Token: SeIncBasePriorityPrivilege 560 msiexec.exe Token: SeCreatePagefilePrivilege 560 msiexec.exe Token: SeCreatePermanentPrivilege 560 msiexec.exe Token: SeBackupPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeShutdownPrivilege 560 msiexec.exe Token: SeDebugPrivilege 560 msiexec.exe Token: SeAuditPrivilege 560 msiexec.exe Token: SeSystemEnvironmentPrivilege 560 msiexec.exe Token: SeChangeNotifyPrivilege 560 msiexec.exe Token: SeRemoteShutdownPrivilege 560 msiexec.exe Token: SeUndockPrivilege 560 msiexec.exe Token: SeSyncAgentPrivilege 560 msiexec.exe Token: SeEnableDelegationPrivilege 560 msiexec.exe Token: SeManageVolumePrivilege 560 msiexec.exe Token: SeImpersonatePrivilege 560 msiexec.exe Token: SeCreateGlobalPrivilege 560 msiexec.exe Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe Token: SeBackupPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeSecurityPrivilege 2888 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 560 msiexec.exe 560 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2924 2700 msiexec.exe 32 PID 2700 wrote to memory of 2924 2700 msiexec.exe 32 PID 2700 wrote to memory of 2924 2700 msiexec.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CryptocommSetup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2700 -s 8122⤵PID:2924
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888