Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Payment-Advice.exe

windows7-x64

10

Payment-Advice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2023, 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment-Advice.exe

  • Size

    2.6MB

  • MD5

    3e416710f120b91849b1878d07ecacd0

  • SHA1

    71eb6640520773803b0201cf4466ff57cb3ac81f

  • SHA256

    a56fd898ced9c080955b0ee12f4d652bd1b74ddde43470e94033a288e2b97dfc

  • SHA512

    3dd24bbff081711efb22f9c4b056e820fbbb45722ef911c7b9bf68b91ed436b2f16af95d2970b29c1d77858f922b4e91b8f2d61856d06d31731de983a796b451

  • SSDEEP

    49152:l0LiB3F6szZwltsrSKYsbCNICNfoAgQflqB:l3F62ZwDqSsbODNfoAgqK

Score
10/10
formbookguneratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gune

Decoy

artentarn.net

allstarpurchaslng.com

lendhave.quest

3yza.com

qpyikn.shop

play-fortuna-win-15.top

jaspergirl.store

naranjacanelaymiel.online

hiddenvalley-farms.com

gas-grills-66023.com

fp-wp.com

livepix.ltda

liholagroup.com

erlinjobs.com

doctorhooper.net

sggwmdkk.shop

ujuyzw.shop

gameclubzeed.com

myhomewish.com

ontopageone.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\Payment-Advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment-Advice.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:3856

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1952-133-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1952-132-0x0000000000BC0000-0x0000000000E64000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/2532-157-0x0000000008370000-0x0000000008489000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2532-156-0x0000000008370000-0x0000000008489000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2532-147-0x0000000008280000-0x0000000008367000-memory.dmp

      Filesize

      924KB

      Download

    • memory/2792-143-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2792-149-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2792-146-0x00000000017C0000-0x00000000017D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2792-145-0x00000000017E0000-0x0000000001B2A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4688-150-0x00000000008A0000-0x00000000008B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4688-154-0x00000000010B0000-0x00000000010DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4688-155-0x0000000002E70000-0x0000000002F03000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4688-152-0x0000000003030000-0x000000000337A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4688-151-0x00000000010B0000-0x00000000010DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5080-138-0x00000000054A0000-0x0000000005506000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5080-137-0x0000000004D40000-0x0000000004DA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5080-139-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5080-136-0x0000000004DC0000-0x00000000053E8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5080-141-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5080-140-0x0000000007350000-0x00000000079CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5080-135-0x00000000024F0000-0x0000000002526000-memory.dmp

      Filesize

      216KB

      Download