Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

arqui64937...34.msi

windows7-x64

7

arqui64937...34.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    136s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arqui64937026476Cliente,Ref70645183bc53734.msi

  • Size

    15.5MB

  • MD5

    ad7cb6cd4ed39265dab644c4f17856fc

  • SHA1

    1465b3e3990a3c321cbfe5c7a8154a9e8dd82de3

  • SHA256

    e22a215c263b61d1b4ae976b9ec89e2f1581b32a2eaf94287cfd5420241918ec

  • SHA512

    85689328f5d5b2613b7c87b5c54c1d83c5583d02f618b6e5df1c65ed874d17c38989b1193f2a58fe10f359869b850c3650f4a0af313388e2e78135bddedf81cb

  • SSDEEP

    393216:ScpHAghg3UBtEXKGZVHkcR3E3tne/RxqLQJ:SIAgW3UBaJisU3tnInJ

Score
7/10
persistencespywarestealervmprotect

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\arqui64937026476Cliente,Ref70645183bc53734.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1988
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 63A400891B12245FB791DA8C8ED7D9DC
      2⤵
      • Loads dropped DLL
      PID:848
    • C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\ArmExe.exe
      "C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\ArmExe.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\6cc334.rbs
    Filesize

    9KB

    MD5

    192755c2e16ff5227d7024b381c1a82f

    SHA1

    a820bceac6537cbb2686608a34aecbbb2bd87f78

    SHA256

    e3a7b897a1f7be0eac12c0f14000fe5b01c4de6486c338f511af4ff21e808930

    SHA512

    466ab3e602ec14e5955e307de5908cfbac6679c1d324d427cd625e9cca537c6ef285fae466d19db3f74ceccda03364e481c94c0772f7aab579d5a2003b4c798a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\ArmExe.exe
    Filesize

    2.4MB

    MD5

    96cc6f399cd2afe922f50258a9847df6

    SHA1

    82904600c0509b7273b609a78138c4464d5159bd

    SHA256

    e1ce739e24a311756a6ece80f9394e753e2ff70cf35107531e8699a54262a7ce

    SHA512

    7b2d0d3b9068ef5a8214d51c21de96a8c0981b3f7becb73bb43fc14187d51e1393b85e9770dbc4f1644285e46590634439ca3bb494a0e8eee7768520fedffd3f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\ArmExe.exe
    Filesize

    2.4MB

    MD5

    96cc6f399cd2afe922f50258a9847df6

    SHA1

    82904600c0509b7273b609a78138c4464d5159bd

    SHA256

    e1ce739e24a311756a6ece80f9394e753e2ff70cf35107531e8699a54262a7ce

    SHA512

    7b2d0d3b9068ef5a8214d51c21de96a8c0981b3f7becb73bb43fc14187d51e1393b85e9770dbc4f1644285e46590634439ca3bb494a0e8eee7768520fedffd3f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\ArmExe.exe
    Filesize

    2.4MB

    MD5

    96cc6f399cd2afe922f50258a9847df6

    SHA1

    82904600c0509b7273b609a78138c4464d5159bd

    SHA256

    e1ce739e24a311756a6ece80f9394e753e2ff70cf35107531e8699a54262a7ce

    SHA512

    7b2d0d3b9068ef5a8214d51c21de96a8c0981b3f7becb73bb43fc14187d51e1393b85e9770dbc4f1644285e46590634439ca3bb494a0e8eee7768520fedffd3f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\brainstorm.dll
    Filesize

    12.7MB

    MD5

    e2e219b36b71b9ce5193d4304cd72739

    SHA1

    c12d79d0aaccbb30a3d9fbe660ccadb7db6ffa0f

    SHA256

    5b06d2da62ffdb69235427dc039903bf1e48afcb38f3da531a944e9e1bdbe8d0

    SHA512

    843652062fa3342f446cc8494dd20654e63ef34625730afaac2ddacce8633679a455585b9b61042c126850f736e85b238ab7633a2fb6c788a595981eeb139a6a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\libmysql.dll
    Filesize

    2.0MB

    MD5

    44dad33d2c2f921f30ed92e80cf44225

    SHA1

    5a240878104cb319f2e75a4634b0cf55c94d4c01

    SHA256

    4f999468e7a99471fc22339aea9b5189746f8fba36f77ee972c9299e09ad4815

    SHA512

    b5ade093c77668ad16335b6799ba8f0bc8a3857f1609eb7f6dd8434cdc64cda3f5411c312e768f3517de0c425271363a019c642719d5dc9573986b7334f184c9

    Download Submit

  • C:\Windows\Installer\6cc331.msi
    Filesize

    15.5MB

    MD5

    ad7cb6cd4ed39265dab644c4f17856fc

    SHA1

    1465b3e3990a3c321cbfe5c7a8154a9e8dd82de3

    SHA256

    e22a215c263b61d1b4ae976b9ec89e2f1581b32a2eaf94287cfd5420241918ec

    SHA512

    85689328f5d5b2613b7c87b5c54c1d83c5583d02f618b6e5df1c65ed874d17c38989b1193f2a58fe10f359869b850c3650f4a0af313388e2e78135bddedf81cb

    Download Submit

  • C:\Windows\Installer\MSIC505.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • C:\Windows\Installer\MSIC785.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • C:\Windows\Installer\MSIC7F4.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • C:\Windows\Installer\MSIC7F4.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • \Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\brainstorm.dll
    Filesize

    12.7MB

    MD5

    e2e219b36b71b9ce5193d4304cd72739

    SHA1

    c12d79d0aaccbb30a3d9fbe660ccadb7db6ffa0f

    SHA256

    5b06d2da62ffdb69235427dc039903bf1e48afcb38f3da531a944e9e1bdbe8d0

    SHA512

    843652062fa3342f446cc8494dd20654e63ef34625730afaac2ddacce8633679a455585b9b61042c126850f736e85b238ab7633a2fb6c788a595981eeb139a6a

    Download Submit

  • \Users\Admin\AppData\Roaming\BitDefender Antivirus\BitDefender\libmysql.dll
    Filesize

    2.0MB

    MD5

    44dad33d2c2f921f30ed92e80cf44225

    SHA1

    5a240878104cb319f2e75a4634b0cf55c94d4c01

    SHA256

    4f999468e7a99471fc22339aea9b5189746f8fba36f77ee972c9299e09ad4815

    SHA512

    b5ade093c77668ad16335b6799ba8f0bc8a3857f1609eb7f6dd8434cdc64cda3f5411c312e768f3517de0c425271363a019c642719d5dc9573986b7334f184c9

    Download Submit

  • \Windows\Installer\MSIC505.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • \Windows\Installer\MSIC785.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • \Windows\Installer\MSIC7F4.tmp
    Filesize

    584KB

    MD5

    ad6faed544d1f3b892268e4b47425736

    SHA1

    e893ad7e0b52f03cedd0f94a8b9655459286083c

    SHA256

    759936d197e6098be606432002b78067c3feb2dbc294f5776b1c8c3a38314f0b

    SHA512

    0a752417f5e3789fee92c6d755a0c34317b82cb0cb9995ba7b5f102b4e85ad0d48206d66cb766f48a767be2349c546b51e963ee6e032446447b29868943b2af5

    Download Submit

  • memory/2000-103-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-112-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-91-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-90-0x0000000000400000-0x0000000000663000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2000-101-0x0000000000400000-0x0000000000663000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2000-102-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-87-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-104-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-105-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-106-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-107-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-109-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-110-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-94-0x0000000000400000-0x0000000000663000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2000-113-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-115-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-116-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-118-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-119-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-120-0x0000000002170000-0x0000000002171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-121-0x0000000002170000-0x0000000002171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-122-0x0000000002170000-0x0000000002171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-123-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-124-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-125-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-126-0x0000000071EC0000-0x0000000073E08000-memory.dmp

    Filesize

    31.3MB

    Download

  • memory/2000-134-0x00000000021B0000-0x00000000021B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-135-0x0000000000400000-0x0000000000663000-memory.dmp

    Filesize

    2.4MB

    Download