Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Invoice 16-36-55.exe

windows7-x64

10

Invoice 16-36-55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2022, 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice 16-36-55.exe

  • Size

    918KB

  • MD5

    c5b76d08e1571dfd19d3ab265ec85b2f

  • SHA1

    e9efd2d3ed741511025c1f1b0f1eb1d97aab111d

  • SHA256

    10610b7b6275e7e957ad8992b94b7488d1d55ad72a169f1abc5410f10c717484

  • SHA512

    bc99f126b422cf373af6f5851e7368471e0505e56a42f207a2d79b407fb3de95ebc1defe1ee0cfbaf46f09b3a514ebd45b3ca0195fdf0f8e2d94fc339138bd6a

  • SSDEEP

    12288:Rj9dHqkbfDk3OLqKGTSXzurVj0dEaVj6NAIZuH9lu08jexVbQLJKKmIjYUkt+pLk:RRhHUKGTSXzuBjVZNNelu0FCI

Score
10/10
formbookd6izratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

d6iz

Decoy

FkA/Rc+zw+0paU+GEiQh+g==

u54Xp6nujzFowU4P

EOvDCsjIcMgdORQ=

AuwHDKo90fNowU4P

pgyJWSAeSn6PEafn3w==

3uX1Rw+ed9vrNQ==

jF5ap2Dv9C1PwGrd2Q==

HO748Nunv9ftKA==

Y3nTdCLF3gspa0+HEiQh+g==

sTcJEshxAzXL5wGzPaA=

E/w4u2Vb6henwGrd2Q==

HyiDPgQFmbk/EuMX3D7NrWLX0XU=

E2QDkA/Sapg7+GJV8ULKrGLX0XU=

OSgyD3k1WHd+8vQc48OmEfvTww==

AVwcD5BnNY6o588P2A==

OghAuUYpwNlqf3CtJsAyRL5h

qQbNBg5d+StQ22hVZXWVOK0=

/+bLGhaIK8gdORQ=

2EwZLB/UCA4=

he9L+LfD0TAFfsIA0Q==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ilrVEAfwYEj.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ilrVEAfwYEj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E36.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:5032
      • C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice 16-36-55.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3900
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1504

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1E36.tmp
      Filesize

      1KB

      MD5

      f3f19cd5bf00b56d7de787c19ba98930

      SHA1

      0e5d346367f5371d04447962da15436a7b5b6cf9

      SHA256

      4462362d058ac0a3ed2f9c86d2b48580e8782ca7cbc23ca5e6a633451dd15cfc

      SHA512

      87f41cc4e37e5a6480d22bcf52bec13e8a25c1c46074561cbcaab12a8a2a7e43ef236010386ce4489ce8db3a025ec0b1836864d75c6d81edc5454d79bf82f810

      Download Submit

    • memory/1468-164-0x00000000070E0000-0x0000000007176000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1468-148-0x00000000054B0000-0x0000000005516000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1468-159-0x0000000006E60000-0x0000000006E7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1468-158-0x00000000074A0000-0x0000000007B1A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1468-157-0x0000000006100000-0x000000000611E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1468-156-0x0000000071180000-0x00000000711CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1468-140-0x0000000002240000-0x0000000002276000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1468-170-0x0000000007180000-0x0000000007188000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1468-143-0x0000000004E10000-0x0000000005438000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1468-169-0x00000000071A0000-0x00000000071BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1468-168-0x0000000007090000-0x000000000709E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1468-146-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1468-160-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1468-155-0x0000000006120000-0x0000000006152000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1468-151-0x0000000005B40000-0x0000000005B5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2968-166-0x0000000000B90000-0x0000000000BBD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2968-165-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2968-167-0x0000000002C60000-0x0000000002FAA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2968-171-0x0000000002FB0000-0x000000000303F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/2968-172-0x0000000000B90000-0x0000000000BBD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3008-154-0x0000000002730000-0x0000000002806000-memory.dmp

      Filesize

      856KB

      Download

    • memory/3008-173-0x00000000079C0000-0x0000000007A53000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3008-174-0x00000000079C0000-0x0000000007A53000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3900-144-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3900-162-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3900-163-0x0000000000401000-0x000000000042F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3900-153-0x0000000000D70000-0x0000000000D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3900-152-0x00000000012E0000-0x000000000162A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3900-149-0x0000000000401000-0x000000000042F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3900-147-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4772-132-0x0000000000F10000-0x0000000000FFC000-memory.dmp

      Filesize

      944KB

      Download

    • memory/4772-134-0x0000000005A00000-0x0000000005A92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4772-133-0x0000000005F10000-0x00000000064B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4772-137-0x0000000008810000-0x0000000008876000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4772-136-0x0000000008400000-0x000000000849C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4772-135-0x0000000005990000-0x000000000599A000-memory.dmp

      Filesize

      40KB

      Download