Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6546a7ea06...35.exe

windows7-x64

10

6546a7ea06...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2023, 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6546a7ea064c3d9f64088e019d9886f58524c335.exe

  • Size

    836KB

  • MD5

    8ba209a4fa3662aa0bbe28789524a293

  • SHA1

    6546a7ea064c3d9f64088e019d9886f58524c335

  • SHA256

    34c78648a400263531a09c99c5979b2520b7705bede0b48773cd2ec5cb88cdd7

  • SHA512

    18ce206118e2bf27469afbdf275b99fc611028cb01c468405e9362725896954b5417ae7e72869b50e5489663b44a4b0bbfdeb93eb66afcf2b7ca7e4e2f4d65f4

  • SSDEEP

    12288:kF1ptxzc/f9C80BNM1o3t64Vhe7VulmSb9kLON9b5Wx:mnz2fE80BS1o3t5Vs7bqVN9k

Score
10/10
formbookg44nratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

g44n

Decoy

t60gB4YRvsDLttd9HG4=

xck8G7COQ+g7VIpX

BQQF3mmpLPskhQ==

eLWwmzNyK6ee+nF1jDvvkxuSGA==

3tlgNOzw8BBjpNOQMnc=

nOpNEJhoU0h+00S9E1YfgA==

xcvTpljkjIyEdvhp+VcGFtJC

bZxOHr5CtzY4

rOD304X0u1DN/m7cbA==

Knixl0HJyEOOiNckwk8GFtJC

S4JMDRNTUAol

Vp9wSwNZSfY7VIpX

0Nf/zlrpmpahnM+tpkYGFtJC

joXsuHiBcVp88DHEHMA7

yN8i9ppoZYHSSaqqk6NZnQ==

4UFEMfyKhSB4UovzjdabqolwhFtMH1M=

d3RiRcXCeR8wlgjEHMA7

eMUS8PSBPCe2rPg=

LCsR0X328UuSAmlf

/keifSXopayqjLt1EWQ=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
    "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
      "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
      2⤵
        PID:3960
      • C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
        "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5072

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2760-132-0x00000000007C0000-0x0000000000894000-memory.dmp

      Filesize

      848KB

      Download

    • memory/2760-133-0x0000000005730000-0x0000000005CD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2760-134-0x0000000005220000-0x00000000052B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2760-135-0x0000000005410000-0x000000000541A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2760-136-0x00000000093E0000-0x000000000947C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5072-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5072-141-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5072-142-0x0000000000401000-0x000000000042F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5072-143-0x0000000001590000-0x00000000018DA000-memory.dmp

      Filesize

      3.3MB

      Download