Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2022, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1.msi
Resource
win7-20220718-en
windows7-x64
General
-
Target
445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1.msi
-
Size
784KB
-
MD5
dba4ccecc8307d0605845fd39e42ae5e
-
SHA1
eb125af24da96fa4d4edd94cec7dab168735309e
-
SHA256
445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1
-
SHA512
fd4421a56d53a83b884baf710bd5ba0a079e1a99db7a7c64680c41b7a3e1aac00d61adf481fdb0ded216832a8e633381b9aeae9c456f5f49ff47ff5b391a68bb
Malware Config
Extracted
formbook
3.9
ka
whatisvipxlbody.com
ads-fas.com
starkce.com
get-zapt.com
meikind.com
mysoresite.com
worldlygone.win
contestrockets.com
ashleyrosemary.com
dr-dragon.com
magnet-o-board.net
uniqueappeals.win
advertising-research.net
anishnabek.com
myfaithwear.com
final90.online
paladinlawfirm.com
parousiatech.com
wmnpet.com
thefilmmedianetwork.com
ernestobrytennis.com
hawaiihangouts.com
theboywhocriediraq.com
jsxzntt.com
wl266.info
suiyicao.com
feelliz.com
hpguk.com
endurancetestx.com
crescentmobiledetailing.com
xn--jgun5zjw5a.com
thesecretgardenrsf.com
moversfoxborough.com
6cc6.info
fangjiadili.com
videotvnovosti.com
humananalisys.com
procedure-idea.tech
notbrice.net
revesacc.men
51web.info
structureimage.com
jubileehotelleeds.com
062ope.com
ztjgc.com
timcloud.win
zerokidsfashion.com
gw3338368.com
db-archviz.com
thebadagavillage.com
towblade.com
lebientotnomme.com
technosweed.info
byx0o6.info
howtomakelifework.com
equifaxsecurity017.com
pontoon.online
jennytanguyen.com
tianlongnet.com
radityaguntur.com
bigtruckptos.com
tribalvibevlog.com
lkjgame666.com
tmqingxin.com
bolipy.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4736-138-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/4736-143-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/3476-146-0x0000000000E40000-0x0000000000E6A000-memory.dmp formbook behavioral2/memory/3476-150-0x0000000000E40000-0x0000000000E6A000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 1880 MSI1926.tmp 4736 MSI1926.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1880 set thread context of 4736 1880 MSI1926.tmp 89 PID 4736 set thread context of 2480 4736 MSI1926.tmp 31 PID 3476 set thread context of 2480 3476 rundll32.exe 31 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI1879.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1926.tmp msiexec.exe File created C:\Windows\Installer\e571695.msi msiexec.exe File opened for modification C:\Windows\Installer\e571695.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000024aabe40d3e837210000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000024aabe400000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090024aabe40000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000024aabe4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000024aabe4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4592 msiexec.exe 4592 msiexec.exe 1880 MSI1926.tmp 1880 MSI1926.tmp 4736 MSI1926.tmp 4736 MSI1926.tmp 4736 MSI1926.tmp 4736 MSI1926.tmp 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1880 MSI1926.tmp 1880 MSI1926.tmp 4736 MSI1926.tmp 4736 MSI1926.tmp 4736 MSI1926.tmp 3476 rundll32.exe 3476 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 4528 msiexec.exe Token: SeIncreaseQuotaPrivilege 4528 msiexec.exe Token: SeSecurityPrivilege 4592 msiexec.exe Token: SeCreateTokenPrivilege 4528 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4528 msiexec.exe Token: SeLockMemoryPrivilege 4528 msiexec.exe Token: SeIncreaseQuotaPrivilege 4528 msiexec.exe Token: SeMachineAccountPrivilege 4528 msiexec.exe Token: SeTcbPrivilege 4528 msiexec.exe Token: SeSecurityPrivilege 4528 msiexec.exe Token: SeTakeOwnershipPrivilege 4528 msiexec.exe Token: SeLoadDriverPrivilege 4528 msiexec.exe Token: SeSystemProfilePrivilege 4528 msiexec.exe Token: SeSystemtimePrivilege 4528 msiexec.exe Token: SeProfSingleProcessPrivilege 4528 msiexec.exe Token: SeIncBasePriorityPrivilege 4528 msiexec.exe Token: SeCreatePagefilePrivilege 4528 msiexec.exe Token: SeCreatePermanentPrivilege 4528 msiexec.exe Token: SeBackupPrivilege 4528 msiexec.exe Token: SeRestorePrivilege 4528 msiexec.exe Token: SeShutdownPrivilege 4528 msiexec.exe Token: SeDebugPrivilege 4528 msiexec.exe Token: SeAuditPrivilege 4528 msiexec.exe Token: SeSystemEnvironmentPrivilege 4528 msiexec.exe Token: SeChangeNotifyPrivilege 4528 msiexec.exe Token: SeRemoteShutdownPrivilege 4528 msiexec.exe Token: SeUndockPrivilege 4528 msiexec.exe Token: SeSyncAgentPrivilege 4528 msiexec.exe Token: SeEnableDelegationPrivilege 4528 msiexec.exe Token: SeManageVolumePrivilege 4528 msiexec.exe Token: SeImpersonatePrivilege 4528 msiexec.exe Token: SeCreateGlobalPrivilege 4528 msiexec.exe Token: SeBackupPrivilege 1588 vssvc.exe Token: SeRestorePrivilege 1588 vssvc.exe Token: SeAuditPrivilege 1588 vssvc.exe Token: SeBackupPrivilege 4592 msiexec.exe Token: SeRestorePrivilege 4592 msiexec.exe Token: SeRestorePrivilege 4592 msiexec.exe Token: SeTakeOwnershipPrivilege 4592 msiexec.exe Token: SeRestorePrivilege 4592 msiexec.exe Token: SeTakeOwnershipPrivilege 4592 msiexec.exe Token: SeRestorePrivilege 4592 msiexec.exe Token: SeTakeOwnershipPrivilege 4592 msiexec.exe Token: SeBackupPrivilege 2560 srtasks.exe Token: SeRestorePrivilege 2560 srtasks.exe Token: SeSecurityPrivilege 2560 srtasks.exe Token: SeTakeOwnershipPrivilege 2560 srtasks.exe Token: SeBackupPrivilege 2560 srtasks.exe Token: SeRestorePrivilege 2560 srtasks.exe Token: SeSecurityPrivilege 2560 srtasks.exe Token: SeTakeOwnershipPrivilege 2560 srtasks.exe Token: SeRestorePrivilege 4592 msiexec.exe Token: SeTakeOwnershipPrivilege 4592 msiexec.exe Token: SeRestorePrivilege 4592 msiexec.exe Token: SeTakeOwnershipPrivilege 4592 msiexec.exe Token: SeDebugPrivilege 4736 MSI1926.tmp Token: SeDebugPrivilege 3476 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4528 msiexec.exe 4528 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4592 wrote to memory of 2560 4592 msiexec.exe 85 PID 4592 wrote to memory of 2560 4592 msiexec.exe 85 PID 4592 wrote to memory of 1880 4592 msiexec.exe 87 PID 4592 wrote to memory of 1880 4592 msiexec.exe 87 PID 4592 wrote to memory of 1880 4592 msiexec.exe 87 PID 1880 wrote to memory of 4736 1880 MSI1926.tmp 89 PID 1880 wrote to memory of 4736 1880 MSI1926.tmp 89 PID 1880 wrote to memory of 4736 1880 MSI1926.tmp 89 PID 2480 wrote to memory of 3476 2480 Explorer.EXE 90 PID 2480 wrote to memory of 3476 2480 Explorer.EXE 90 PID 2480 wrote to memory of 3476 2480 Explorer.EXE 90 PID 3476 wrote to memory of 2256 3476 rundll32.exe 91 PID 3476 wrote to memory of 2256 3476 rundll32.exe 91 PID 3476 wrote to memory of 2256 3476 rundll32.exe 91
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\445342537392aa1e3756715d6f4eaafa281c4b8d5a8bfd104978ce4ce1635ac1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4528
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSI1926.tmp"3⤵PID:2256
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\Installer\MSI1926.tmp"C:\Windows\Installer\MSI1926.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Installer\MSI1926.tmp"C:\Windows\Installer\MSI1926.tmp"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
757KB
MD5796f982d0dfe5b16b3df76473a919b50
SHA16a7f3e45afe268a4a630ce57d3cacd7ebe208ec1
SHA256c3791863ec4be69c97f366b7e73ed9e5e18f3fd8c1e1cbf3dffac226313272f2
SHA51209492b47ee13d5c13c6aa6bbc0b3322d8a96c9caa328040477120415d4c544397079264248b1290fe412e51ae2cf62ca702b7da6a76d41d2acff5668a92e8064
-
Filesize
757KB
MD5796f982d0dfe5b16b3df76473a919b50
SHA16a7f3e45afe268a4a630ce57d3cacd7ebe208ec1
SHA256c3791863ec4be69c97f366b7e73ed9e5e18f3fd8c1e1cbf3dffac226313272f2
SHA51209492b47ee13d5c13c6aa6bbc0b3322d8a96c9caa328040477120415d4c544397079264248b1290fe412e51ae2cf62ca702b7da6a76d41d2acff5668a92e8064
-
Filesize
757KB
MD5796f982d0dfe5b16b3df76473a919b50
SHA16a7f3e45afe268a4a630ce57d3cacd7ebe208ec1
SHA256c3791863ec4be69c97f366b7e73ed9e5e18f3fd8c1e1cbf3dffac226313272f2
SHA51209492b47ee13d5c13c6aa6bbc0b3322d8a96c9caa328040477120415d4c544397079264248b1290fe412e51ae2cf62ca702b7da6a76d41d2acff5668a92e8064
-
Filesize
23.0MB
MD5226c7e95b55a48dd0f2fc369c042e6cd
SHA1337f55dcdc7c11971abb0ad111d340bef096f4fe
SHA2562d007b55982bad5f6a52e59669a5eac8057fc339cfffee99d4a0199deb9d4bd6
SHA512f373fa891fd43c9a9f12056ff3c48c954cb667a0c66add69e09150b287ed070080e908f58c559ecb1d5fd383ad83201e696b1c1d30f66160d89d97c3c107cc32
-
\??\Volume{40beaa24-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{da170177-e7e8-4bee-92e3-df4943b89cac}_OnDiskSnapshotProp
Filesize5KB
MD5403cd37c18a0e3e8c20bb05b09472808
SHA15162e981e404351ae8f68734f87dbf2f4eb61274
SHA25648a6b17cf0a34d6a245f0434f5a3f4bb6b462ca2d2e5d24bfc06d6f9c34a6003
SHA512cba7e985b61d58ea77cb6946b279435cd5bb64cf889e22002d2e0913e2d56308a1707b6e7ceeab197aebb0031b93b6fba7a49c701f51ec79ce6f717393671c5b