Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

payload.exe

windows7-x64

10

payload.exe

windows10-2004-x64

10

Resubmissions

18/10/2022, 20:13

221018-yzmhxadee7 10

18/10/2022, 14:28

221018-rs73psgba7 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2022, 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.exe

  • Size

    185KB

  • MD5

    14382242e215d139c77c0ee9bb0c7ad6

  • SHA1

    3951322a28787e4757fd3715d518103d6c054960

  • SHA256

    5017913bca4c5c1eaf5646e3983f9d8fc4e52f4a66406f46f3029952ae1fde70

  • SHA512

    1f4eef4d4685ca466702b45fa163e31089c031d2c491b4a14279bf28cba64a1aada928536df2970399510c4efb093ab08c7a05f0223fde66e751e20c26e07a4b

  • SSDEEP

    3072:yXoVNpuuK+ArjKxjCpZomp/04AkJmHrwF8gUdSl5xCZqnr/xA3unPu:bfp5SZow/04tUuUdeSqri3gu

Score
10/10
formbookknntratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

knnt

Decoy

65SBubRb0cQTZyel+RrmtuIytWG7hIY=

lxY8gZLYuXPYl40/

IBCcbQLOUkWVL3cA/DkK2ei+vuKlXA==

4Lo6dar405m4hxqWl58sOc0=

4KyQBqNrzYWTI6Iv016m7BZVvuKlXA==

PyCmasPI0Lj0JTU=

hnoGNwDmybXus0PVH2S1Td2l0ZTJ

s4CRDagqgmaCo9bOBD4i

T5IbS3G46ZbN8RncbsWuAiWl0ZTJ

2vxQ/T6e+7vkjz9yriaOpBbO8bYapwAu

55558Jha4dgR7PCZrQ==

O9KAFJVY3c4V1Xi2rEGne4ZMtSY=

ZPih22lkYU3Yl40/

mCc1tbkLsWeH

MpbgOtnQvGu9jQ==

D6uAq4Gdj3UEkzmKkCOIW4BG

A3rp8NpDzp2Q

4WMaDz2Ff26SfX5xEaABgk0WTQ==

G16+qE5AFMf20h0PxfsyLIZMtSY=

az44qCVNL8dm2vG/nuEbI3K46HT5K44=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\payload.exe
      "C:\Users\Admin\AppData\Local\Temp\payload.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      1.0MB

      MD5

      f1e5f58f9eb43ecec773acbdb410b888

      SHA1

      f1b8076b0bbde696694bbc0ab259a77893839464

      SHA256

      a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

      SHA512

      0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

      Download Submit

    • memory/748-63-0x0000000000340000-0x00000000003CF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/748-59-0x0000000075B11000-0x0000000075B13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/748-61-0x0000000000080000-0x00000000000AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/748-60-0x0000000000320000-0x000000000033F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/748-62-0x0000000002110000-0x0000000002413000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/748-65-0x0000000000080000-0x00000000000AD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1276-57-0x0000000006AD0000-0x0000000006C50000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1276-64-0x00000000063F0000-0x0000000006497000-memory.dmp

      Filesize

      668KB

      Download

    • memory/1276-66-0x00000000063F0000-0x0000000006497000-memory.dmp

      Filesize

      668KB

      Download

    • memory/1576-56-0x0000000000070000-0x0000000000080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1576-54-0x00000000003A0000-0x00000000003CF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1576-55-0x0000000000890000-0x0000000000B93000-memory.dmp

      Filesize

      3.0MB

      Download