Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25/10/2022, 13:32
General
-
Target
formbook5.exe
-
Size
718KB
-
MD5
39cffb366d87292f4b5efecf69c32774
-
SHA1
104fe2e617556e97af1a6f5082bba003a8e9ff3d
-
SHA256
37e9f15077e6491eade2a03b73b9f48b0037c6995a5fbecdae7a942710d1dde1
-
SHA512
d508a86dc49fc5737904b23ceab055329ebf47dc77b119297a8d1fb6c1f17217a24ec0a714787e8dcda215381549a04d77d8212f0fd83ddcf1de545453d4078f
-
SSDEEP
12288:3hUWMtLdsIJ4Il6RXTTpbe0RRnT7QLtAeSfN5r5pHM2as8i9Rr5o7We:xhMtBsy6R82RnTEmewN5rr8i98
Malware Config
Extracted
formbook
4.1
gs25
real-food.store
marketdatalibrary.com
jolidens.space
ydental.info
tattoosbyjayinked.com
buytradesellpei.com
61983.xyz
identitysolver.xyz
mgfang.com
teizer.one
staychillax.com
ylanzarote.com
workte.net
maukigato.shop
coolbag.site
btya1r.com
dkhaohao.shop
zugaro.xyz
boon168.com
xn--80aeegahlwtdkp.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\formbook5.exe"C:\Users\Admin\AppData\Local\Temp\formbook5.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YaFLXNhWEOOsy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp38F2.tmp"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ddf4decce0b0b03c0a310864f662b663
SHA1a27ccf1e20cec6395baba516e9ff2929506dd8a6
SHA256eb9a96964451ebe302f049a928046f0740673567f6780e04ad0c0394003a0253
SHA51231c7de13065a11486e07705b166db49a1c803a2786c185422ea44c36091fbc366f73931bc37ad34319c47d9f85609e23a6a583b7bd5416ba9ac8bc6d0744b310
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
84KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
3.3MB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
744KB
-
Filesize
188KB
-
Filesize
3.3MB
-
Filesize
156KB
-
Filesize
592KB
-
Filesize
188KB