Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

~x64__x32_...__.zip

windows7-x64

1

~x64__x32_...__.zip

windows10-2004-x64

1

fh/HalExtI...MA.dll

windows10-2004-x64

1

fh/fh.dll

windows10-2004-x64

1

fh/gpsvc.dll

windows10-2004-x64

1

fh/msftedit.dll

windows10-2004-x64

1

rmclient/SEMgrSvc.dll

windows10-2004-x64

1

rmclient/SRH.dll

windows10-2004-x64

1

rmclient/rilproxy.dll

windows10-2004-x64

1

rmclient/rmclient.dll

windows10-2004-x64

1

vdsbas/Tok...er.dll

windows10-2004-x64

1

vdsbas/Vault.dll

windows10-2004-x64

1

vdsbas/tquery.dll

windows10-2004-x64

1

vdsbas/vdsbas.dll

windows10-2004-x64

1

winspool/wdmaud.dll

windows10-2004-x64

1

winspool/winspool.dll

windows10-2004-x64

1

winspool/wvc.dll

windows10-2004-x64

7

x64__insta....5.msi

windows7-x64

6

x64__insta....5.msi

windows10-2004-x64

6

Resubmissions

02/08/2024, 14:19 UTC

240802-rnce8sscne 3

02/08/2024, 14:17 UTC

240802-rl7hlasclb 7

Analysis

  • max time kernel
    40s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 14:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x64__installer__v2.0.5.msi

  • Size

    32.5MB

  • MD5

    acf3049f9a32d9c2d30d0546e7a4249a

  • SHA1

    491fbaf36bbb029601daf0e73ff17179f6f8ebd9

  • SHA256

    4e5def247c481ea835d423ca3134dc1192dc688693676ac6730c5e60ab269f61

  • SHA512

    02a40cd23470dff49afb6dcb80e7313b78aeb5bcd50ff564a7756aa01589379cae04953d6f50d0f22d6a251696a52702cdfde4f8daa7829b1e74d019fa66b900

  • SSDEEP

    786432:VRQLUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0y:VRQ77xVLYjsp+ikJ

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\x64__installer__v2.0.5.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2304
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7DB2AD8EC081F143CFB18112C40ED4DF
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2840

Network

  • flag-us
    DNS
    get-license4.com
    MsiExec.exe
    Remote address:
    8.8.8.8:53
    Request
    get-license4.com
    IN A
    Response
    get-license4.com
    IN A
    104.21.21.238
    get-license4.com
    IN A
    172.67.201.107
  • flag-us
    POST
    https://get-license4.com/licenseUser.php
    MsiExec.exe
    Remote address:
    104.21.21.238:443
    Request
    POST /licenseUser.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded; charset=utf-8
    User-Agent: AdvancedInstaller
    Host: get-license4.com
    Content-Length: 33
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 02 Aug 2024 14:19:21 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Cache-Control: no-store
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AD31aAjDK5N1E4RLCTcaTXju6wO%2Bt0ROkmIicDnI%2BF8xdwvIv1zkpexNLjt2ndxhO2zQajvVGHL%2BRJJ13aqujzzw1835popuF7Mmh327vBeUf4BgjJMDFUW0G%2BhhmiLA7wVt"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8aceb3d3fccebd8c-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    c.pki.goog
    MsiExec.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.27.94
  • flag-nl
    GET
    http://c.pki.goog/r/gsr1.crl
    MsiExec.exe
    Remote address:
    142.250.27.94:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Fri, 02 Aug 2024 13:37:35 GMT
    Expires: Fri, 02 Aug 2024 14:27:35 GMT
    Cache-Control: public, max-age=3000
    Age: 2506
    Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-nl
    GET
    http://c.pki.goog/r/r4.crl
    MsiExec.exe
    Remote address:
    142.250.27.94:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Fri, 02 Aug 2024 13:38:42 GMT
    Expires: Fri, 02 Aug 2024 14:28:42 GMT
    Cache-Control: public, max-age=3000
    Age: 2439
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    92.123.143.234
    a1363.dscg.akamai.net
    IN A
    92.123.142.59
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    92.123.143.234:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
    Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
    ETag: 0x8DCA14B323B2CC0
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 72f579ca-d01e-0016-7f43-d3a13d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Fri, 02 Aug 2024 14:19:52 GMT
    Connection: keep-alive
  • 104.21.21.238:443
    https://get-license4.com/licenseUser.php
    tls, http
    MsiExec.exe
    1.2kB
     4.7kB
     12
    11

    HTTP Request

    POST https://get-license4.com/licenseUser.php

    HTTP Response

    200
  • 142.250.27.94:80
    http://c.pki.goog/r/r4.crl
    http
    MsiExec.exe
    554 B
     3.8kB
     7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 92.123.143.234:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    445 B
     1.7kB
     5
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    get-license4.com
    dns
    MsiExec.exe
    62 B
     94 B
     1
    1

    DNS Request

    get-license4.com

    DNS Response

    104.21.21.238
    172.67.201.107

  • 8.8.8.8:53
    c.pki.goog
    dns
    MsiExec.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.27.94

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    92.123.143.234
    92.123.142.59

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f782e64.rbs
    Filesize

    21KB

    MD5

    eaa96eb0c421ae869c93142fd8812972

    SHA1

    551e6c4d9ad3bfda925b7041459138119ed53b47

    SHA256

    e0a94430b537351c1fe85ef3d426babd2e6254984d46d94020513555ac6ec697

    SHA512

    4b7cf8c435895d154ee2cdaa87d124fb6e24faec6349429698bd8a1546396b5c2c3058cb19bc807ab8e457fb5993a3068e5fbb65d2158fa2d0c083f6e97f70ee

    Download Submit

  • C:\Windows\Installer\MSI2F2B.tmp
    Filesize

    738KB

    MD5

    b158d8d605571ea47a238df5ab43dfaa

    SHA1

    bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

    SHA256

    ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

    SHA512

    56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

    Download Submit

  • C:\Windows\Installer\MSI45DA.tmp
    Filesize

    364KB

    MD5

    54d74546c6afe67b3d118c3c477c159a

    SHA1

    957f08beb7e27e657cd83d8ee50388b887935fae

    SHA256

    f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

    SHA512

    d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

    Download Submit

  • C:\Windows\Installer\f782e60.msi
    Filesize

    32.5MB

    MD5

    acf3049f9a32d9c2d30d0546e7a4249a

    SHA1

    491fbaf36bbb029601daf0e73ff17179f6f8ebd9

    SHA256

    4e5def247c481ea835d423ca3134dc1192dc688693676ac6730c5e60ab269f61

    SHA512

    02a40cd23470dff49afb6dcb80e7313b78aeb5bcd50ff564a7756aa01589379cae04953d6f50d0f22d6a251696a52702cdfde4f8daa7829b1e74d019fa66b900

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.