Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

9cd58f5222...62.msi

windows7-x64

6

9cd58f5222...62.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    39s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 01:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462.msi

  • Size

    34.2MB

  • MD5

    57a55d067c89c10d205abaa98a2e14dd

  • SHA1

    9e83844b5f6f77660424db4df4c3554503855d23

  • SHA256

    9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462

  • SHA512

    c1eec66216b9ac436d4a323b8866c1c4d9ae1d4c57d6282fc490098e54a4146ae75af73aeaabd3ba26a48cd4ee7b81a3da08f392b5dbc349dd7b0435af34d6ff

  • SSDEEP

    786432:Gt9VUyTDXySTjxA4Ztx2+G+N0WYQYBXPByttH+dktHEDv0yduCb9fJq:Gt9p7xVLYjsp+ikJdu6f

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2508
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E924038517DDA8BA2986CF035C24CEBB
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2732

Network

  • flag-us
    DNS
    get-license4.com
    MsiExec.exe
    Remote address:
    8.8.8.8:53
    Request
    get-license4.com
    IN A
    Response
    get-license4.com
    IN A
    172.67.201.107
    get-license4.com
    IN A
    104.21.21.238
  • flag-us
    POST
    https://get-license4.com/licenseUser.php
    MsiExec.exe
    Remote address:
    172.67.201.107:443
    Request
    POST /licenseUser.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded; charset=utf-8
    User-Agent: AdvancedInstaller
    Host: get-license4.com
    Content-Length: 44
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Mon, 26 Aug 2024 01:22:14 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Cache-Control: no-store
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IF4I3asKnLYQMUU7z4GnfH%2FUzIhnCZN%2FKztK239cdxJ0EdOcM%2BAHZdwS9fF8nR39e87earresn%2BdAoXpfkb321iUh%2B1BgU3wnzszbOeV%2BH1VnylERDySgRz86btZ0NLtnG8V"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b900279691b77b7-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    c.pki.goog
    MsiExec.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    216.58.214.163
  • flag-fr
    GET
    http://c.pki.goog/r/gsr1.crl
    MsiExec.exe
    Remote address:
    216.58.214.163:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 26 Aug 2024 00:40:02 GMT
    Expires: Mon, 26 Aug 2024 01:30:02 GMT
    Cache-Control: public, max-age=3000
    Age: 2532
    Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-fr
    GET
    http://c.pki.goog/r/r4.crl
    MsiExec.exe
    Remote address:
    216.58.214.163:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 26 Aug 2024 00:40:04 GMT
    Expires: Mon, 26 Aug 2024 01:30:04 GMT
    Cache-Control: public, max-age=3000
    Age: 2530
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.18.190.80
    a1363.dscg.akamai.net
    IN A
    2.18.190.71
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.18.190.80:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
    Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
    ETag: 0x8DCA14B323B2CC0
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: ff7d3404-301e-006c-4d37-d3bc7d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Mon, 26 Aug 2024 01:22:45 GMT
    Connection: keep-alive
  • 172.67.201.107:443
    https://get-license4.com/licenseUser.php
    tls, http
    MsiExec.exe
    1.0kB
     4.2kB
     10
    9

    HTTP Request

    POST https://get-license4.com/licenseUser.php

    HTTP Response

    200
  • 216.58.214.163:80
    http://c.pki.goog/r/r4.crl
    http
    MsiExec.exe
    560 B
     5.0kB
     7
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 2.18.190.80:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    451 B
     1.7kB
     5
    5

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    get-license4.com
    dns
    MsiExec.exe
    62 B
     94 B
     1
    1

    DNS Request

    get-license4.com

    DNS Response

    172.67.201.107
    104.21.21.238

  • 8.8.8.8:53
    c.pki.goog
    dns
    MsiExec.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    216.58.214.163

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.18.190.80
    2.18.190.71

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f787cb3.rbs
    Filesize

    25KB

    MD5

    d1c38ee2ea0be69c3699be4e2a3879b6

    SHA1

    d51ef217b9e2e4facc5cf52a60b3fcd1fad227f9

    SHA256

    fbf60113dbf8dd5e020305ba4e02da3d02ac9f677c1766b679cfb5597ebff212

    SHA512

    28acdd6203eed78a26acbdc40e468ef43d03772756cdd43497f8c36bb8bca92ee4e50219078eb938d31330fb4298fa168111ab28ca8d582acf0669ac8300f908

    Download Submit

  • C:\Windows\Installer\MSI7DA8.tmp
    Filesize

    738KB

    MD5

    b158d8d605571ea47a238df5ab43dfaa

    SHA1

    bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

    SHA256

    ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

    SHA512

    56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

    Download Submit

  • C:\Windows\Installer\MSI9199.tmp
    Filesize

    364KB

    MD5

    54d74546c6afe67b3d118c3c477c159a

    SHA1

    957f08beb7e27e657cd83d8ee50388b887935fae

    SHA256

    f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

    SHA512

    d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

    Download Submit

  • C:\Windows\Installer\f787caf.msi
    Filesize

    34.2MB

    MD5

    57a55d067c89c10d205abaa98a2e14dd

    SHA1

    9e83844b5f6f77660424db4df4c3554503855d23

    SHA256

    9cd58f52226fc376f837447d0c4ebed7b0473cc4166f9e8ad0265bbfd7ac4462

    SHA512

    c1eec66216b9ac436d4a323b8866c1c4d9ae1d4c57d6282fc490098e54a4146ae75af73aeaabd3ba26a48cd4ee7b81a3da08f392b5dbc349dd7b0435af34d6ff

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.