Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ETOS proje...ns.exe

windows7-x64

10

ETOS proje...ns.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ETOS project Specifications.exe

  • Size

    732KB

  • MD5

    2bf247b62106faa756c070c4e017d402

  • SHA1

    63ac2ac4e94d66d285968035c55f02917c419744

  • SHA256

    90afcb6b9e301d7081737182f7f3e3bff751ba972d161d8da5c24db1d0d36dc0

  • SHA512

    be7c4f17616124423de69e3e2846ce89192c9577111a81bbd13ddccbdb3cae20fd18a92ea6984198ad4e0c3b8b287e0c6df66a99b067ff745bfe177f8d9248f3

  • SSDEEP

    12288:MmAzQsRZDsItEVJ6AKJQ84lSt0/2V+4HPI/yCfJuZXLN1:+zQswikDD5lSt0+ZQKUJuZ7N

Score
10/10
formbookvo84ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vo84

Decoy

laurenciavachulova.one

sabuilders.store

masxot.xyz

matchfail.com

suararakyatnews.net

kykm.rest

richardsmartinezh.site

morehouseweneedyou.com

depressivepawnclub.xyz

yenilenme.net

allhiejralstore.com

9993808.com

sleepshastra.com

weplay-classic.com

propertyofpalestine.com

onirica.club

yohelios.com

fcorruption.com

tongdans.top

richmondmassage.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\ETOS project Specifications.exe
      "C:\Users\Admin\AppData\Local\Temp\ETOS project Specifications.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Local\Temp\ETOS project Specifications.exe
        "C:\Users\Admin\AppData\Local\Temp\ETOS project Specifications.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ETOS project Specifications.exe"
        3⤵
          PID:2488

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2180-142-0x0000000001410000-0x000000000175A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2180-143-0x0000000000F80000-0x0000000000F95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2180-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2180-141-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3092-153-0x00000000083B0000-0x0000000008531000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3092-152-0x00000000083B0000-0x0000000008531000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3092-144-0x0000000008260000-0x00000000083A8000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3984-148-0x00000000025E0000-0x000000000292A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3984-147-0x0000000000170000-0x000000000019F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3984-146-0x00000000006B0000-0x00000000006D7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3984-149-0x0000000000170000-0x000000000019F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3984-151-0x0000000002440000-0x00000000024D4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4764-137-0x0000000007BA0000-0x0000000007C06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4764-136-0x0000000007B00000-0x0000000007B9C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4764-132-0x0000000000600000-0x00000000006BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4764-135-0x0000000005050000-0x000000000505A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4764-134-0x0000000005080000-0x0000000005112000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4764-133-0x0000000005630000-0x0000000005BD4000-memory.dmp

      Filesize

      5.6MB

      Download