Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
30/06/2023, 17:49
230630-wd8g5seb76 830/06/2023, 17:45
230630-wbqvbaeb69 829/06/2023, 17:53
230629-wgaqaaed89 8Analysis
-
max time kernel
116s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-es -
resource tags
arch:x64arch:x86image:win10v2004-20230621-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
29/06/2023, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
formularioimprimibleCLE.msi
Resource
win7-20230621-es
Behavioral task
behavioral2
Sample
formularioimprimibleCLE.msi
Resource
win10v2004-20230621-es
General
-
Target
formularioimprimibleCLE.msi
-
Size
6.3MB
-
MD5
043dfa1567871c033c9514b544c7fef2
-
SHA1
97c9f86276885dcecc0e8108ebe4feef0a231518
-
SHA256
55ec807f6f52f3145fc046e64bcf4fa42ed595f10214f22025c07f7c900f3e4b
-
SHA512
a86ec480977715b8969d0b11c354acb7694526615006af9e5b1946997905464f0657cca614698cebcc6d7f5b866d6cb1c2220c2385c1bbbd9284f92c9c03d72e
-
SSDEEP
196608:u29Ik7oVQ2CAmYcA13ikoGhE4qLSupNxfTC:u2SMJ25mVA1xvzuLM
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 35 4616 MsiExec.exe 37 4616 MsiExec.exe 39 4616 MsiExec.exe 43 4616 MsiExec.exe -
Loads dropped DLL 7 IoCs
pid Process 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 ipinfo.io 35 ipinfo.io -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FDADDCB5-B03B-4E64-B11C-E3C5ACE3057B}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{74D83130-630B-428D-BA93-F105AEAA3E8B}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{619ECF45-6637-43E8-AF4E-02D203475735}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4F8BCBE1-433A-4663-A461-7B4CF7D5707C}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{35C40692-7774-4AF2-81C9-F0B9BF825B9D}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0BE6EBAC-1670-4418-8929-0DE7A9E88AED}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FE8F02B0-6B77-419C-B441-B151C010DBF6}.catalogItem svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4616 MsiExec.exe 4616 MsiExec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\e567506.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7881.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI794D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI797D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI817F.tmp msiexec.exe File opened for modification C:\Windows\Installer\e567506.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7592.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FE7.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AC72E8C6-41B2-4419-B471-CE193B15B7D0} msiexec.exe File opened for modification C:\Windows\Installer\MSI814F.tmp msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4532 4616 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4768 msiexec.exe 4768 msiexec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe 4616 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 4884 msiexec.exe Token: SeIncreaseQuotaPrivilege 4884 msiexec.exe Token: SeSecurityPrivilege 4768 msiexec.exe Token: SeCreateTokenPrivilege 4884 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4884 msiexec.exe Token: SeLockMemoryPrivilege 4884 msiexec.exe Token: SeIncreaseQuotaPrivilege 4884 msiexec.exe Token: SeMachineAccountPrivilege 4884 msiexec.exe Token: SeTcbPrivilege 4884 msiexec.exe Token: SeSecurityPrivilege 4884 msiexec.exe Token: SeTakeOwnershipPrivilege 4884 msiexec.exe Token: SeLoadDriverPrivilege 4884 msiexec.exe Token: SeSystemProfilePrivilege 4884 msiexec.exe Token: SeSystemtimePrivilege 4884 msiexec.exe Token: SeProfSingleProcessPrivilege 4884 msiexec.exe Token: SeIncBasePriorityPrivilege 4884 msiexec.exe Token: SeCreatePagefilePrivilege 4884 msiexec.exe Token: SeCreatePermanentPrivilege 4884 msiexec.exe Token: SeBackupPrivilege 4884 msiexec.exe Token: SeRestorePrivilege 4884 msiexec.exe Token: SeShutdownPrivilege 4884 msiexec.exe Token: SeDebugPrivilege 4884 msiexec.exe Token: SeAuditPrivilege 4884 msiexec.exe Token: SeSystemEnvironmentPrivilege 4884 msiexec.exe Token: SeChangeNotifyPrivilege 4884 msiexec.exe Token: SeRemoteShutdownPrivilege 4884 msiexec.exe Token: SeUndockPrivilege 4884 msiexec.exe Token: SeSyncAgentPrivilege 4884 msiexec.exe Token: SeEnableDelegationPrivilege 4884 msiexec.exe Token: SeManageVolumePrivilege 4884 msiexec.exe Token: SeImpersonatePrivilege 4884 msiexec.exe Token: SeCreateGlobalPrivilege 4884 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4884 msiexec.exe 4884 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4616 4768 msiexec.exe 84 PID 4768 wrote to memory of 4616 4768 msiexec.exe 84 PID 4768 wrote to memory of 4616 4768 msiexec.exe 84
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formularioimprimibleCLE.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4884
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D25B15018FB19D9F8B39712C2C343A852⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 7923⤵
- Program crash
PID:4532
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 46161⤵PID:4788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:4824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5049b2f751350ab19d26bf1d196704069
SHA1a3b4f880b283ad7c34e7451faf83f3e3dcb9a6ff
SHA25605fcc33113cda6212b246603b0b3a3919f6164ce6b1426baf4919c0f6187f52a
SHA51212d289b3fa7e79e2481525f438f46d095a50d1e37b89a2d156f9df696b460e7721a9401c9d1837d65e10adc146ff09ce035a9442d4205543c471094352b616d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
4.9MB
MD5092eca934d678084a26cd40a4d3c820e
SHA1a3a3f338429b2621bf02dde24f931925b522cc9d
SHA256d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf
SHA51298002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba
-
Filesize
4.9MB
MD5092eca934d678084a26cd40a4d3c820e
SHA1a3a3f338429b2621bf02dde24f931925b522cc9d
SHA256d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf
SHA51298002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba
-
Filesize
4.9MB
MD5092eca934d678084a26cd40a4d3c820e
SHA1a3a3f338429b2621bf02dde24f931925b522cc9d
SHA256d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf
SHA51298002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba