Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

swift code.exe

windows7-x64

10

swift code.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2022, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swift code.exe

  • Size

    929KB

  • MD5

    4810babd170ef3c7d890a2898237342f

  • SHA1

    e12471750e0a24c3835a632249c544d453196561

  • SHA256

    d06e9a0bc38a688ec308ebf3b7806de3d4f13bc7e630f1c34f8e2356a9123e10

  • SHA512

    54e234ad0177c1dd599b112c4df4a0766e9c6b0855256221d6df4f85143a504b881f58892f5928816120be716ed4094d2630b0dd8b50122b47eb13218f8305cc

  • SSDEEP

    12288:Dvbx1O4xoFLbbvQE550OZmwNwO051Gf1k2DtLLTp3QDkJBhsvt+:vcFLXvd5+9wNN051+hLHpKkB48

Score
10/10
formbookejgpratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

ejgp

Decoy

+0NM3RekW0bfgQ==

iQmI3Aw2aoOljoA0XZi1

5Ei2CVwQyOgZwV/u4eiMFdKqc84=

ImSvoul9o0reZ9TKUAUkXgw=

kuCrMIco5vT3sxCUQ+pYsVoG7Q==

btgpLo8XM+qHGLzoizgjRg==

fqK2iM5vW0bfgQ==

ObS1UE+TByKRZozamdULr0naXbKPLA==

bcohBkmNNcpp3gJ/XE2/mBs=

yY5b/cLb3+0llg==

GVEVqBNXl7Kic2Sm

Tqpt2tTlW0bfgQ==

eurYRI7UFDBjDbzpIJKz

7wwDuczemAaJNrrpIJKz

bprQyLvLEj+hhMLHHg==

qdoAqq/XOjh0ItzLLJpHBgxoJgM2

gr5SnMA66BpM8+hUM+iawNKeZsQ=

XLoO6yFTsdNuEYpUPfScwqXEk7dqBnU=

vS2Cjfg0tqBF1GpuHemLV8/g4wUwPspS

U5wqXJjP/u/qg3sE+YKsgVVByFw+

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Local\Temp\swift code.exe
      "C:\Users\Admin\AppData\Local\Temp\swift code.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pqFexk.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pqFexk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22CA.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1140
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4584

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp22CA.tmp
      Filesize

      1KB

      MD5

      8a921f16c85c4cd1af71da637c130f22

      SHA1

      90f64c236c1ea13678f9dd5409b39929ed8fb098

      SHA256

      5cbd13fc48d4c4f66194f435184d24c8eb8b7166cce1d86c0af4fc92f44c59d8

      SHA512

      85ae4c9db7e79273d8f0067d662b04bff2d151553d1ee9239c9d840b0e2e7e6903f7260a820e0aa73d38cb84b8322ff2f976f84ae3dfe11b690e520db370ae25

      Download Submit

    • memory/512-151-0x0000000002F80000-0x0000000003080000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/512-169-0x0000000008810000-0x000000000892D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/512-167-0x0000000002F80000-0x0000000003080000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/512-171-0x0000000008810000-0x000000000892D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1556-135-0x00000000056D0000-0x00000000056DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1556-136-0x0000000007E50000-0x0000000007EEC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1556-137-0x0000000008180000-0x00000000081E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1556-134-0x0000000005610000-0x00000000056A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1556-132-0x0000000000B90000-0x0000000000C7E000-memory.dmp

      Filesize

      952KB

      Download

    • memory/1556-133-0x0000000005B10000-0x00000000060B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1596-146-0x0000000005AB0000-0x0000000005B16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1596-152-0x0000000006180000-0x000000000619E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1596-144-0x0000000005310000-0x0000000005938000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1596-154-0x00000000713F0000-0x000000007143C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1596-165-0x0000000007790000-0x0000000007798000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1596-140-0x0000000002850000-0x0000000002886000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1596-145-0x00000000051C0000-0x00000000051E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1596-153-0x0000000006740000-0x0000000006772000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1596-164-0x00000000077B0000-0x00000000077CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-155-0x0000000006710000-0x000000000672E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1596-156-0x0000000007AC0000-0x000000000813A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1596-157-0x0000000007470000-0x000000000748A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-158-0x00000000074F0000-0x00000000074FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1596-159-0x00000000076F0000-0x0000000007786000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1596-163-0x00000000076A0000-0x00000000076AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2224-162-0x0000000000B00000-0x0000000000B2B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2224-161-0x00000000003C0000-0x00000000007F3000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2224-166-0x00000000029E0000-0x0000000002D2A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2224-168-0x0000000002810000-0x000000000289F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/2224-170-0x0000000000B00000-0x0000000000B2B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3236-149-0x00000000015C0000-0x000000000190A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3236-150-0x0000000001140000-0x0000000001150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3236-148-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3236-143-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download