Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Official P...22.exe

windows7-x64

10

Official P...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2022, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Official Purchase Order 121322.exe

  • Size

    1019KB

  • MD5

    9e40b98924b94ea375faf0bccf2609ee

  • SHA1

    bbb2330799adfffd534505aac9ac112e16f7fc8e

  • SHA256

    4b4faaccc4842d408c3caad47e364f69dad51765ab242e4dc8c97de0cd190ddc

  • SHA512

    c2a3f6653962664b1d830edee1c84ac9a62e1d908b647c6f88f1b21837c3316177c445ea2af17c0326e79d9bf3b5d4b266fbbb3a87b2eb12ffa1cc972a23b9db

  • SSDEEP

    24576:wGTgVIYba1JXh+Q/Fkq1SW0vQ2lBS4G3r5/oOi3bJhxVsWy:wGT6Iz3RJtkqh0vQ2

Score
10/10
formbooksnkyratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

snky

Decoy

AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=

tvj/KUTKeKgxszIemQ==

DTrTokBrjB5leF4=

tPeTOuIjJPtH

taxtMdIygEdpskxzOQ2ZjoAEeA==

CxLuaKAFRrJyuIqQUPbhZw==

Tn4fapT5kPmk1H0gpXQ=

h5p8hDqGSiRzdSbV

i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx

EwbfBo6m+UXU2qaVUPbhZw==

WpeenFSMquJ3xXD1/b43

niV5qTFu3tfmcgrI

fqyyyElbdxWswJ7A

Lh7o92ZOr4ghbwvK

Y2RYMDue4x+KszIemQ==

lN3Y3z5AS85eah1MDvfFQQA=

uq+Oqh8MNRxHOOkqA9lqYEZZhJU=

FEtGDeGnnRoSQEM=

TkMlruotvsmtpFwg6shr03LjwMWGow==

7PGx8hNMep8EMj5Q39dsq16IbbaIrA==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe
      "C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe
        "C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe"
        3⤵
          PID:1708
        • C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe
          "C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe"
          3⤵
            PID:1308
          • C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe
            "C:\Users\Admin\AppData\Local\Temp\Official Purchase Order 121322.exe"
            3⤵
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1304
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1760
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:1008
            • C:\Windows\SysWOW64\msiexec.exe
              "C:\Windows\SysWOW64\msiexec.exe"
              2⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:320
              • C:\Program Files\Mozilla Firefox\Firefox.exe
                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                3⤵
                  PID:1564

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • \Users\Admin\AppData\Local\Temp\sqlite3.dll
              Filesize

              904KB

              MD5

              5e5ba61531d74e45b11cadb79e7394a1

              SHA1

              677224e14aac9dd35f367d5eb1704b36e69356b8

              SHA256

              99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

              SHA512

              712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

              Download Submit

            • memory/320-86-0x0000000000090000-0x00000000000BD000-memory.dmp

              Filesize

              180KB

              Download

            • memory/320-84-0x0000000001F10000-0x0000000001F9F000-memory.dmp

              Filesize

              572KB

              Download

            • memory/320-83-0x00000000020A0000-0x00000000023A3000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/320-82-0x0000000000090000-0x00000000000BD000-memory.dmp

              Filesize

              180KB

              Download

            • memory/320-81-0x0000000000630000-0x0000000000644000-memory.dmp

              Filesize

              80KB

              Download

            • memory/1216-72-0x0000000004B50000-0x0000000004C17000-memory.dmp

              Filesize

              796KB

              Download

            • memory/1216-87-0x0000000004D70000-0x0000000004E26000-memory.dmp

              Filesize

              728KB

              Download

            • memory/1216-85-0x0000000004D70000-0x0000000004E26000-memory.dmp

              Filesize

              728KB

              Download

            • memory/1216-76-0x0000000004C20000-0x0000000004D6E000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/1304-70-0x0000000000422000-0x0000000000424000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1304-69-0x0000000000870000-0x0000000000B73000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/1304-60-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1304-71-0x00000000001B0000-0x00000000001C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1304-67-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1304-74-0x0000000000422000-0x0000000000424000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1304-75-0x00000000002B0000-0x00000000002C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1304-66-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1304-68-0x0000000000401000-0x000000000042E000-memory.dmp

              Filesize

              180KB

              Download

            • memory/1304-78-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1304-79-0x0000000000401000-0x000000000042E000-memory.dmp

              Filesize

              180KB

              Download

            • memory/1304-63-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1304-61-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/1848-54-0x0000000000010000-0x0000000000116000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/1848-59-0x0000000004E30000-0x0000000004E8C000-memory.dmp

              Filesize

              368KB

              Download

            • memory/1848-58-0x0000000005F10000-0x0000000005FA6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1848-57-0x00000000006B0000-0x00000000006BE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1848-56-0x0000000000640000-0x0000000000652000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1848-55-0x0000000076091000-0x0000000076093000-memory.dmp

              Filesize

              8KB

              Download