Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24/07/2022, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1.msi
Resource
win7-20220718-en
windows7-x64
12 signatures
150 seconds
General
-
Target
445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1.msi
-
Size
784KB
-
MD5
dba4ccecc8307d0605845fd39e42ae5e
-
SHA1
eb125af24da96fa4d4edd94cec7dab168735309e
-
SHA256
445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1
-
SHA512
fd4421a56d53a83b884baf710bd5ba0a079e1a99db7a7c64680c41b7a3e1aac00d61adf481fdb0ded216832a8e633381b9aeae9c456f5f49ff47ff5b391a68bb
Malware Config
Extracted
Family
formbook
Version
3.9
Campaign
ka
Decoy
whatisvipxlbody.com
ads-fas.com
starkce.com
get-zapt.com
meikind.com
mysoresite.com
worldlygone.win
contestrockets.com
ashleyrosemary.com
dr-dragon.com
magnet-o-board.net
uniqueappeals.win
advertising-research.net
anishnabek.com
myfaithwear.com
final90.online
paladinlawfirm.com
parousiatech.com
wmnpet.com
thefilmmedianetwork.com
ernestobrytennis.com
hawaiihangouts.com
theboywhocriediraq.com
jsxzntt.com
wl266.info
suiyicao.com
feelliz.com
hpguk.com
endurancetestx.com
crescentmobiledetailing.com
xn--jgun5zjw5a.com
thesecretgardenrsf.com
moversfoxborough.com
6cc6.info
fangjiadili.com
videotvnovosti.com
humananalisys.com
procedure-idea.tech
notbrice.net
revesacc.men
51web.info
structureimage.com
jubileehotelleeds.com
062ope.com
ztjgc.com
timcloud.win
zerokidsfashion.com
gw3338368.com
db-archviz.com
thebadagavillage.com
towblade.com
lebientotnomme.com
technosweed.info
byx0o6.info
howtomakelifework.com
equifaxsecurity017.com
pontoon.online
jennytanguyen.com
tianlongnet.com
radityaguntur.com
bigtruckptos.com
tribalvibevlog.com
lkjgame666.com
tmqingxin.com
bolipy.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/1696-62-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1696-69-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1616-72-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 1656 MSI7ABE.tmp 1696 MSI7ABE.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1656 set thread context of 1696 1656 MSI7ABE.tmp 33 PID 1696 set thread context of 1356 1696 MSI7ABE.tmp 14 PID 1696 set thread context of 1356 1696 MSI7ABE.tmp 14 PID 1616 set thread context of 1356 1616 msdt.exe 14 -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c77b0.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7ABE.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c77b2.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6c77b2.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7A4F.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c77b0.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1896 msiexec.exe 1896 msiexec.exe 1656 MSI7ABE.tmp 1696 MSI7ABE.tmp 1696 MSI7ABE.tmp 1696 MSI7ABE.tmp 1616 msdt.exe 1616 msdt.exe 1616 msdt.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1656 MSI7ABE.tmp 1656 MSI7ABE.tmp 1696 MSI7ABE.tmp 1696 MSI7ABE.tmp 1696 MSI7ABE.tmp 1696 MSI7ABE.tmp 1616 msdt.exe 1616 msdt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 364 msiexec.exe Token: SeIncreaseQuotaPrivilege 364 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeSecurityPrivilege 1896 msiexec.exe Token: SeCreateTokenPrivilege 364 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 364 msiexec.exe Token: SeLockMemoryPrivilege 364 msiexec.exe Token: SeIncreaseQuotaPrivilege 364 msiexec.exe Token: SeMachineAccountPrivilege 364 msiexec.exe Token: SeTcbPrivilege 364 msiexec.exe Token: SeSecurityPrivilege 364 msiexec.exe Token: SeTakeOwnershipPrivilege 364 msiexec.exe Token: SeLoadDriverPrivilege 364 msiexec.exe Token: SeSystemProfilePrivilege 364 msiexec.exe Token: SeSystemtimePrivilege 364 msiexec.exe Token: SeProfSingleProcessPrivilege 364 msiexec.exe Token: SeIncBasePriorityPrivilege 364 msiexec.exe Token: SeCreatePagefilePrivilege 364 msiexec.exe Token: SeCreatePermanentPrivilege 364 msiexec.exe Token: SeBackupPrivilege 364 msiexec.exe Token: SeRestorePrivilege 364 msiexec.exe Token: SeShutdownPrivilege 364 msiexec.exe Token: SeDebugPrivilege 364 msiexec.exe Token: SeAuditPrivilege 364 msiexec.exe Token: SeSystemEnvironmentPrivilege 364 msiexec.exe Token: SeChangeNotifyPrivilege 364 msiexec.exe Token: SeRemoteShutdownPrivilege 364 msiexec.exe Token: SeUndockPrivilege 364 msiexec.exe Token: SeSyncAgentPrivilege 364 msiexec.exe Token: SeEnableDelegationPrivilege 364 msiexec.exe Token: SeManageVolumePrivilege 364 msiexec.exe Token: SeImpersonatePrivilege 364 msiexec.exe Token: SeCreateGlobalPrivilege 364 msiexec.exe Token: SeBackupPrivilege 1112 vssvc.exe Token: SeRestorePrivilege 1112 vssvc.exe Token: SeAuditPrivilege 1112 vssvc.exe Token: SeBackupPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1440 DrvInst.exe Token: SeLoadDriverPrivilege 1440 DrvInst.exe Token: SeLoadDriverPrivilege 1440 DrvInst.exe Token: SeLoadDriverPrivilege 1440 DrvInst.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeDebugPrivilege 1696 MSI7ABE.tmp Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeShutdownPrivilege 1356 Explorer.EXE Token: SeShutdownPrivilege 1356 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 364 msiexec.exe 364 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1896 wrote to memory of 1656 1896 msiexec.exe 32 PID 1896 wrote to memory of 1656 1896 msiexec.exe 32 PID 1896 wrote to memory of 1656 1896 msiexec.exe 32 PID 1896 wrote to memory of 1656 1896 msiexec.exe 32 PID 1656 wrote to memory of 1696 1656 MSI7ABE.tmp 33 PID 1656 wrote to memory of 1696 1656 MSI7ABE.tmp 33 PID 1656 wrote to memory of 1696 1656 MSI7ABE.tmp 33 PID 1656 wrote to memory of 1696 1656 MSI7ABE.tmp 33 PID 1696 wrote to memory of 1616 1696 MSI7ABE.tmp 34 PID 1696 wrote to memory of 1616 1696 MSI7ABE.tmp 34 PID 1696 wrote to memory of 1616 1696 MSI7ABE.tmp 34 PID 1696 wrote to memory of 1616 1696 MSI7ABE.tmp 34 PID 1616 wrote to memory of 984 1616 msdt.exe 35 PID 1616 wrote to memory of 984 1616 msdt.exe 35 PID 1616 wrote to memory of 984 1616 msdt.exe 35 PID 1616 wrote to memory of 984 1616 msdt.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1.msi2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:364
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Installer\MSI7ABE.tmp"C:\Windows\Installer\MSI7ABE.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\Installer\MSI7ABE.tmp"C:\Windows\Installer\MSI7ABE.tmp"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSI7ABE.tmp"5⤵PID:984
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000320" "00000000000003D0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD5796f982d0dfe5b16b3df76473a919b50
SHA16a7f3e45afe268a4a630ce57d3cacd7ebe208ec1
SHA256c3791863ec4be69c97f366b7e73ed9e5e18f3fd8c1e1cbf3dffac226313272f2
SHA51209492b47ee13d5c13c6aa6bbc0b3322d8a96c9caa328040477120415d4c544397079264248b1290fe412e51ae2cf62ca702b7da6a76d41d2acff5668a92e8064
-
Filesize
757KB
MD5796f982d0dfe5b16b3df76473a919b50
SHA16a7f3e45afe268a4a630ce57d3cacd7ebe208ec1
SHA256c3791863ec4be69c97f366b7e73ed9e5e18f3fd8c1e1cbf3dffac226313272f2
SHA51209492b47ee13d5c13c6aa6bbc0b3322d8a96c9caa328040477120415d4c544397079264248b1290fe412e51ae2cf62ca702b7da6a76d41d2acff5668a92e8064
-
Filesize
757KB
MD5796f982d0dfe5b16b3df76473a919b50
SHA16a7f3e45afe268a4a630ce57d3cacd7ebe208ec1
SHA256c3791863ec4be69c97f366b7e73ed9e5e18f3fd8c1e1cbf3dffac226313272f2
SHA51209492b47ee13d5c13c6aa6bbc0b3322d8a96c9caa328040477120415d4c544397079264248b1290fe412e51ae2cf62ca702b7da6a76d41d2acff5668a92e8064