Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

New Order.exe

windows7-x64

10

New Order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/02/2023, 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    856KB

  • MD5

    7d8cdf3c58c00c596080b3f50f090ab5

  • SHA1

    558c0dd0071f4875d7f74a19106ff06774ac30b9

  • SHA256

    c9caca736c11e851b592f24322879f830096ef056283ab000c73fea48642278b

  • SHA512

    273e806c9463f844d60e861e454d48e6bd9adc0a552c476485d61acf89a3669b22986d404d7f9d89791f7cf4eb5b149acbdeaca14b8164b523cf62ffa8d5424e

  • SSDEEP

    24576:MHCtn9BoO/NtSQlQXDAlfSX6wnj+V9ClyTS666jDgs1b5/:z9KEpwzG8Lz6vgsD

Score
10/10
formbookd03sratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d03s

Decoy

laurasgreenleaves.co.uk

fantastik3d.com

jsstee.com

foodynation.co.uk

3623wnorthgate.com

titanmedical.africa

keithjacksonlifecoach.com

kardilah.shop

crisscrossfishsauce.com

lojatanamao.online

ceways.com

holybreadstudios.com

c66u.xyz

poococoin.net

exipureyour7best.online

easterislandfoundation.net

09448.voto

gzbzxyy.com

0uqx.xyz

agentfarah.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NskQPt.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3780
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NskQPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F29.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3424
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3792
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:4456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      e496cfa1fa9bfec574182cff3db4945a

      SHA1

      73523ffd48bf506fbb07774d89293b551a9faf87

      SHA256

      830d8f31480d6df5631a4af9453c8a87860cc18446c246bf869cdb86a52bef33

      SHA512

      1e0a9cddd2287c7e8ab61f9b406d5be0259ff2576b11015b39ed370444bafd2590f3f6592ce9b177bc0999aba49043168b383479260c5132f6264b22fd4d4cb4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp4F29.tmp
      Filesize

      1KB

      MD5

      740a468351794fd951a8f065167ab1e7

      SHA1

      9aff48c4c86162093b6fce4d0530947c459916c2

      SHA256

      2a00564223b65c62e66ca0a5fc6e8f81efbf5bab7d6be94c078d13744cea4797

      SHA512

      9bdb12f7afd82e2a237bf729f6ee455c9c5c7e7bfc1a7935e2e28098d98d9444285882ea2c8a3c17afd3e2b48b797cd689d472a33d9429f26912756506594a2b

      Download Submit

    • memory/2016-175-0x0000000007070000-0x00000000071F4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2016-174-0x0000000007070000-0x00000000071F4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2016-156-0x0000000002790000-0x0000000002842000-memory.dmp

      Filesize

      712KB

      Download

    • memory/3752-163-0x0000000000BB0000-0x0000000000BD7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3752-173-0x00000000009B0000-0x00000000009DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3752-164-0x00000000009B0000-0x00000000009DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3752-166-0x0000000002AD0000-0x0000000002E1A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3752-172-0x0000000002940000-0x00000000029D3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3780-157-0x0000000006760000-0x000000000677E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3780-145-0x0000000005C10000-0x0000000005C76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3780-148-0x0000000006250000-0x000000000626E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3780-160-0x0000000007540000-0x000000000754A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3780-143-0x0000000005730000-0x0000000005752000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3780-158-0x0000000007BB0000-0x000000000822A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3780-153-0x0000000006780000-0x00000000067B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3780-168-0x0000000007810000-0x000000000782A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3780-154-0x0000000074E70000-0x0000000074EBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3780-167-0x0000000007700000-0x000000000770E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3792-152-0x0000000000D90000-0x0000000000DA4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3792-151-0x00000000010D0000-0x000000000141A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3792-150-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3792-147-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4892-132-0x0000000000620000-0x00000000006FC000-memory.dmp

      Filesize

      880KB

      Download

    • memory/4892-133-0x00000000055C0000-0x0000000005B64000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4892-134-0x00000000050B0000-0x0000000005142000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4892-135-0x00000000050A0000-0x00000000050AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4892-136-0x00000000090D0000-0x000000000916C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5116-169-0x0000000007D40000-0x0000000007D48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5116-155-0x0000000074E70000-0x0000000074EBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5116-159-0x0000000007A30000-0x0000000007A4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5116-144-0x0000000005550000-0x00000000055B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5116-141-0x0000000005690000-0x0000000005CB8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5116-139-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/5116-161-0x0000000007CA0000-0x0000000007D36000-memory.dmp

      Filesize

      600KB

      Download