Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
Payment-Advice.exe
Resource
win7-20221111-en
General
-
Target
Payment-Advice.exe
-
Size
2.6MB
-
MD5
3e416710f120b91849b1878d07ecacd0
-
SHA1
71eb6640520773803b0201cf4466ff57cb3ac81f
-
SHA256
a56fd898ced9c080955b0ee12f4d652bd1b74ddde43470e94033a288e2b97dfc
-
SHA512
3dd24bbff081711efb22f9c4b056e820fbbb45722ef911c7b9bf68b91ed436b2f16af95d2970b29c1d77858f922b4e91b8f2d61856d06d31731de983a796b451
-
SSDEEP
49152:l0LiB3F6szZwltsrSKYsbCNICNfoAgQflqB:l3F62ZwDqSsbODNfoAgqK
Malware Config
Extracted
formbook
4.1
gune
artentarn.net
allstarpurchaslng.com
lendhave.quest
3yza.com
qpyikn.shop
play-fortuna-win-15.top
jaspergirl.store
naranjacanelaymiel.online
hiddenvalley-farms.com
gas-grills-66023.com
fp-wp.com
livepix.ltda
liholagroup.com
erlinjobs.com
doctorhooper.net
sggwmdkk.shop
ujuyzw.shop
gameclubzeed.com
myhomewish.com
ontopageone.com
startupsoffering.site
lametododemiguel37.site
premiumofadvertify.info
remarkabledeals.net
crazycoingame.com
allaimages.com
langesjewelry.com
jamtopia.xyz
kunstraum3003.com
oneconclave.com
loversheart.mom
sardegnasolare.com
philippevieux.net
emagrecacomsaude.life
mxs-lv.shop
thewildfire.capetown
pm4xe.xyz
saadev.games
irecoveryinc.com
futurdefs.com
u-too.solar
clabbery.pro
mgsiren.com
moshi-moshi-store.com
louisapham-storegame.site
hebdmt.com
grompert.com
gkfesta.store
briskwinds.com
amazingdigitalart.online
kingfisher-outdoors.com
characterai.dev
291489.com
bombbash.com
domight.live
cqetciso.com
calumniato.com
shandongfangba.com
d22c2.com
cool-video-games.net
digital-marketing-works-1.life
novadeyelopment.com
orneksite.online
instant-ontvangst.info
tylermarkconforti.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/2792-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2792-149-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4688-151-0x00000000010B0000-0x00000000010DF000-memory.dmp formbook behavioral2/memory/4688-154-0x00000000010B0000-0x00000000010DF000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Payment-Advice.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1952 set thread context of 2792 1952 Payment-Advice.exe 84 PID 2792 set thread context of 2532 2792 MSBuild.exe 40 PID 4688 set thread context of 2532 4688 msiexec.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 5080 powershell.exe 5080 powershell.exe 2792 MSBuild.exe 2792 MSBuild.exe 2792 MSBuild.exe 2792 MSBuild.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe 4688 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2792 MSBuild.exe 2792 MSBuild.exe 2792 MSBuild.exe 4688 msiexec.exe 4688 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1952 Payment-Advice.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 2792 MSBuild.exe Token: SeDebugPrivilege 4688 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1952 wrote to memory of 5080 1952 Payment-Advice.exe 81 PID 1952 wrote to memory of 5080 1952 Payment-Advice.exe 81 PID 1952 wrote to memory of 5080 1952 Payment-Advice.exe 81 PID 1952 wrote to memory of 2792 1952 Payment-Advice.exe 84 PID 1952 wrote to memory of 2792 1952 Payment-Advice.exe 84 PID 1952 wrote to memory of 2792 1952 Payment-Advice.exe 84 PID 1952 wrote to memory of 2792 1952 Payment-Advice.exe 84 PID 1952 wrote to memory of 2792 1952 Payment-Advice.exe 84 PID 1952 wrote to memory of 2792 1952 Payment-Advice.exe 84 PID 2532 wrote to memory of 4688 2532 Explorer.EXE 85 PID 2532 wrote to memory of 4688 2532 Explorer.EXE 85 PID 2532 wrote to memory of 4688 2532 Explorer.EXE 85 PID 4688 wrote to memory of 3856 4688 msiexec.exe 86 PID 4688 wrote to memory of 3856 4688 msiexec.exe 86 PID 4688 wrote to memory of 3856 4688 msiexec.exe 86
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\Payment-Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment-Advice.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3856
-
-