Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
30/06/2023, 17:49
230630-wd8g5seb76 830/06/2023, 17:45
230630-wbqvbaeb69 829/06/2023, 17:53
230629-wgaqaaed89 8Analysis
-
max time kernel
54s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20230621-es -
resource tags
arch:x64arch:x86image:win7-20230621-eslocale:es-esos:windows7-x64systemwindows -
submitted
30/06/2023, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
formularioimprimibleCLE.msi
Resource
win7-20230621-es
Behavioral task
behavioral2
Sample
formularioimprimibleCLE.msi
Resource
win10v2004-20230621-es
General
-
Target
formularioimprimibleCLE.msi
-
Size
6.3MB
-
MD5
043dfa1567871c033c9514b544c7fef2
-
SHA1
97c9f86276885dcecc0e8108ebe4feef0a231518
-
SHA256
55ec807f6f52f3145fc046e64bcf4fa42ed595f10214f22025c07f7c900f3e4b
-
SHA512
a86ec480977715b8969d0b11c354acb7694526615006af9e5b1946997905464f0657cca614698cebcc6d7f5b866d6cb1c2220c2385c1bbbd9284f92c9c03d72e
-
SSDEEP
196608:u29Ik7oVQ2CAmYcA13ikoGhE4qLSupNxfTC:u2SMJ25mVA1xvzuLM
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 4 1504 MsiExec.exe 6 1504 MsiExec.exe 8 1504 MsiExec.exe 10 1504 MsiExec.exe 12 1504 MsiExec.exe 13 1504 MsiExec.exe -
Loads dropped DLL 5 IoCs
pid Process 1504 MsiExec.exe 1504 MsiExec.exe 1504 MsiExec.exe 1504 MsiExec.exe 1504 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 4 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1504 MsiExec.exe 1504 MsiExec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\6c3776.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3D41.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3FC2.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4485.tmp msiexec.exe File created C:\Windows\Installer\6c3776.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3B2D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3DDE.tmp msiexec.exe File created C:\Windows\Installer\6c3778.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4455.tmp msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1364 1504 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1220 msiexec.exe 1220 msiexec.exe 1504 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 1324 msiexec.exe Token: SeIncreaseQuotaPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeSecurityPrivilege 1220 msiexec.exe Token: SeCreateTokenPrivilege 1324 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1324 msiexec.exe Token: SeLockMemoryPrivilege 1324 msiexec.exe Token: SeIncreaseQuotaPrivilege 1324 msiexec.exe Token: SeMachineAccountPrivilege 1324 msiexec.exe Token: SeTcbPrivilege 1324 msiexec.exe Token: SeSecurityPrivilege 1324 msiexec.exe Token: SeTakeOwnershipPrivilege 1324 msiexec.exe Token: SeLoadDriverPrivilege 1324 msiexec.exe Token: SeSystemProfilePrivilege 1324 msiexec.exe Token: SeSystemtimePrivilege 1324 msiexec.exe Token: SeProfSingleProcessPrivilege 1324 msiexec.exe Token: SeIncBasePriorityPrivilege 1324 msiexec.exe Token: SeCreatePagefilePrivilege 1324 msiexec.exe Token: SeCreatePermanentPrivilege 1324 msiexec.exe Token: SeBackupPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 1324 msiexec.exe Token: SeShutdownPrivilege 1324 msiexec.exe Token: SeDebugPrivilege 1324 msiexec.exe Token: SeAuditPrivilege 1324 msiexec.exe Token: SeSystemEnvironmentPrivilege 1324 msiexec.exe Token: SeChangeNotifyPrivilege 1324 msiexec.exe Token: SeRemoteShutdownPrivilege 1324 msiexec.exe Token: SeUndockPrivilege 1324 msiexec.exe Token: SeSyncAgentPrivilege 1324 msiexec.exe Token: SeEnableDelegationPrivilege 1324 msiexec.exe Token: SeManageVolumePrivilege 1324 msiexec.exe Token: SeImpersonatePrivilege 1324 msiexec.exe Token: SeCreateGlobalPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe Token: SeRestorePrivilege 1220 msiexec.exe Token: SeTakeOwnershipPrivilege 1220 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1324 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1220 wrote to memory of 1504 1220 msiexec.exe 29 PID 1504 wrote to memory of 1364 1504 MsiExec.exe 33 PID 1504 wrote to memory of 1364 1504 MsiExec.exe 33 PID 1504 wrote to memory of 1364 1504 MsiExec.exe 33 PID 1504 wrote to memory of 1364 1504 MsiExec.exe 33
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formularioimprimibleCLE.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1324
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FC2903DB49D7A79F4A99F5A11889E9FC2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 5763⤵
- Program crash
PID:1364
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53637e477bf2d96df16f46d6fe42ceb00
SHA17b0f1074aff9bdc5bef4ead764545d8910c5e2e1
SHA2564f29dc34d0cc27a104af3a8e4d633c33db862a80ad379206e51ded7138966559
SHA5128d582845e1039b4be0345092d050cec4a6b0c0d78d4718847e0d7ecc18ec0f90c9d2a0c28144b742cb75ae33ca631beaa72d248db6497ec8014cb89234bbd558
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
4.9MB
MD5092eca934d678084a26cd40a4d3c820e
SHA1a3a3f338429b2621bf02dde24f931925b522cc9d
SHA256d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf
SHA51298002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
4.9MB
MD5092eca934d678084a26cd40a4d3c820e
SHA1a3a3f338429b2621bf02dde24f931925b522cc9d
SHA256d35e11b78d14db8c976c7a800f4c2caf092f63b1ea0c29742564317c28701cbf
SHA51298002b475a798883263b0c2ae81cd893d77c8272dd16a9ecda99bd8d68f221a77950bf65e1322c665bbec6ed035639c2365f943d5f918a62c5ef7664ae1d70ba