Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
a44404aac23672009dc1d835f223d35b.exe
Resource
win7-20220901-en
General
-
Target
a44404aac23672009dc1d835f223d35b.exe
-
Size
293KB
-
MD5
a44404aac23672009dc1d835f223d35b
-
SHA1
31aee1e8489ef5b6033f24050ff309941f8f38b0
-
SHA256
1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
-
SHA512
2a70e223ca53759418bb42caa5d90dee2629f18815035f4cb92296eddac284f8a4074cfc9efada30ab9c27305e14249d5cb3731ec18fc41fc87695a6ef04357b
-
SSDEEP
6144:0Ya6qfeaNVq78yPmAR6PAqqQ1hPP23xulTtZ3X3fCA:0YMmaS78yP3g4qxYeZ3XvCA
Malware Config
Extracted
formbook
4.1
nes8
simantsfamily.com
ninobrowndelivery.net
y94x.info
huibi01.vip
davidspanu.com
swegon.tech
moapulsa.com
coveredseguros.com
owltoon.site
loyalguardianop.com
banca-particulares.icu
innovativanimal.com
girlschools.top
smartbed-gb-tok.life
vhail.store
bluffdalecitizens.info
asmcpn.us
wordybag.online
smmfsa.com
jinglunqhd.com
mybestfurend.com
hatmam.com
kruz56.site
drinkarakay.com
linnus.shop
shockgods.net
adammushrooms.com
enakslot.net
tt0738.com
vivre-lyon7.com
oticascarol.live
precisionradiologyin.com
prvtg.top
naturetechvr.com
thegoodfunguy.com
soulcommunication.site
hallmarklog.live
cantonbourbonroom.com
mitsubishixpander.com
dgrjzz1688.com
rainbow-bridge.xyz
yaxin376.com
sonrisasica.com
letterkennytown.com
kkkrobesforwhitesonly.com
mikamiyua.xyz
navigatoral.ltd
dailyhoroscope4you.space
dietoll-official.site
hadafsazan.net
mommysleepswithers.com
abc-notation.com
tbsc766.store
marketproinv.info
culdshn.pics
oxylabs.top
incentiveexcellence.com
sarodret.buzz
weplaycrypto.net
purityrecruitment.com
s95wh.icu
voip-59118.com
righttowrescue.com
feffco.xyz
n7m.tokyo
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4768-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4768-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4696-148-0x00000000006F0000-0x000000000071F000-memory.dmp formbook behavioral2/memory/4696-150-0x00000000006F0000-0x000000000071F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 3084 yoznhk.exe 4768 yoznhk.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3084 set thread context of 4768 3084 yoznhk.exe 82 PID 4768 set thread context of 676 4768 yoznhk.exe 54 PID 4696 set thread context of 676 4696 help.exe 54 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4768 yoznhk.exe 4768 yoznhk.exe 4768 yoznhk.exe 4768 yoznhk.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe 4696 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 676 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3084 yoznhk.exe 4768 yoznhk.exe 4768 yoznhk.exe 4768 yoznhk.exe 4696 help.exe 4696 help.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 4768 yoznhk.exe Token: SeDebugPrivilege 4696 help.exe Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE Token: SeShutdownPrivilege 676 Explorer.EXE Token: SeCreatePagefilePrivilege 676 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1952 wrote to memory of 3084 1952 a44404aac23672009dc1d835f223d35b.exe 81 PID 1952 wrote to memory of 3084 1952 a44404aac23672009dc1d835f223d35b.exe 81 PID 1952 wrote to memory of 3084 1952 a44404aac23672009dc1d835f223d35b.exe 81 PID 3084 wrote to memory of 4768 3084 yoznhk.exe 82 PID 3084 wrote to memory of 4768 3084 yoznhk.exe 82 PID 3084 wrote to memory of 4768 3084 yoznhk.exe 82 PID 3084 wrote to memory of 4768 3084 yoznhk.exe 82 PID 676 wrote to memory of 4696 676 Explorer.EXE 84 PID 676 wrote to memory of 4696 676 Explorer.EXE 84 PID 676 wrote to memory of 4696 676 Explorer.EXE 84 PID 4696 wrote to memory of 3816 4696 help.exe 85 PID 4696 wrote to memory of 3816 4696 help.exe 85 PID 4696 wrote to memory of 3816 4696 help.exe 85
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe"C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"C:\Users\Admin\AppData\Local\Temp\yoznhk.exe" C:\Users\Admin\AppData\Local\Temp\qsruthgcsxr.a3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:4192
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"3⤵PID:3816
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5f1ea13fa35de3f09b96364341d87d125
SHA18de2b74f3a5bbcb1ba8ced276904c7a47266a1a1
SHA256b21c98a92b9bbbf684de96fb96adbcd534368df3fdd7b615bc59e0b1685a8434
SHA5127e91642293d03ad05941ab5e1c464bc08197900001b61ddbd9d3f3445b5e1559d1e82ba1630634ec78701b2d508822585bb5cbfab80e07c33052401f7cff442e
-
Filesize
5KB
MD554b71333295fca6cf02f2b33fd820c76
SHA11b918d25d644d6aae65324fb77e50a3a2ee50147
SHA2565d44da7c885fc6d6a5f454a2e73c7409a5d5f434ea9984f39221750b75840442
SHA512095ebd5cac031872c9cb2328070c127ea7862140e9bc89421c4ce8ff17804dde88ccc330b79e709c17c61179bc7c8146420e734c8e512b5e82eede690fa5629b
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5
-
Filesize
74KB
MD533197092d5e40869139dafa9e86397eb
SHA11c94e4036d5ab42cc9e405c31bccc2af3e316fed
SHA25691975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50
SHA512a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5