Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d67bc9de76...31.exe

windows7-x64

10

d67bc9de76...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2023, 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe

  • Size

    356KB

  • MD5

    89638fe1a25c80932d9e4cb30238e194

  • SHA1

    39e2ba0f53784ba65b1c5c33c7629447944390d0

  • SHA256

    d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031

  • SHA512

    d2c8474b02dbab013bb1924826c27e04e32ac260a58ccc925624c65411628ba252992f9e7fdd931a961b18a75d0cb54289e14a36dda708a4ae7cb2d28719b801

  • SSDEEP

    6144:/Ya6QPTmatecxGcFxZci7zQiJtMCnTiyaaMvJZEFST/WxHNQow:/YePTmat2cFcivxTvktvUS8eP

Score
10/10
formbookvr21ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr21

Decoy

detrop.ru

bolacash.club

thezoidtv.africa

bigartgallerystudio.com

doshkoljata.ru

gamesdaybuddiessingles.com

zonlin.net

thehilltoplodges.co.uk

fcvip.club

amandacurtinnutrition.com

londonairporttaxies.com

graniteteammates.com

devthanhvo.site

kl-thelabel.com

a1choice.net

amzprod.com

iwaint.com

device-children.com

canada-immigration-72440.com

irsdev.ru

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Users\Admin\AppData\Local\Temp\d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe
      "C:\Users\Admin\AppData\Local\Temp\d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
        "C:\Users\Admin\AppData\Local\Temp\setacrtv.exe" C:\Users\Admin\AppData\Local\Temp\bjtqn.j
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
          "C:\Users\Admin\AppData\Local\Temp\setacrtv.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:524
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\setacrtv.exe"
        3⤵
          PID:3836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bjtqn.j
      Filesize

      5KB

      MD5

      f88e7b8f410183ebe6d8a93c0c69fac1

      SHA1

      884dcfdc390ab5c16acf4825e845196689660c13

      SHA256

      68164f2638aadfe26b24d6d95a2402630f60b9922aa925be8122f8f85afde02f

      SHA512

      8b515dc62db6ac2c42f86de72fc7f940e40885f16fda4c19c77a5072fad3fb19edcc4cc1eaf05debe9894d221fe84e240c7df8ee1988c1f44134129ad8af00fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qtbhihuhdo.thc
      Filesize

      205KB

      MD5

      1de3b6dbb675773b015c982ca0d6bef3

      SHA1

      e974f0da17266919737c3920d7a00d68ee933216

      SHA256

      0c83a2f8962ec4832b276cf006a8fa55fc0f2e7da6a66cb5cc73ab00e3062a15

      SHA512

      69df2e4715b354a644dbdc8eb61d7bad13c6c56d12754435ee9ae0946c3d7aa2b3faa5259810735080831807a7fd5387efe09b78d109c1c654498025c787be31

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
      Filesize

      296KB

      MD5

      b4f16ffac645f80188483e424f7a441a

      SHA1

      78daa0412c734d0e3480c7b9e93a4261cd9a2abd

      SHA256

      0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

      SHA512

      33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
      Filesize

      296KB

      MD5

      b4f16ffac645f80188483e424f7a441a

      SHA1

      78daa0412c734d0e3480c7b9e93a4261cd9a2abd

      SHA256

      0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

      SHA512

      33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
      Filesize

      296KB

      MD5

      b4f16ffac645f80188483e424f7a441a

      SHA1

      78daa0412c734d0e3480c7b9e93a4261cd9a2abd

      SHA256

      0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

      SHA512

      33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

      Download Submit

    • memory/524-148-0x00000000005F0000-0x0000000000604000-memory.dmp

      Filesize

      80KB

      Download

    • memory/524-142-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/524-146-0x0000000000A70000-0x0000000000DBA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/524-147-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1108-156-0x0000000000A40000-0x0000000000A6F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1108-151-0x0000000000080000-0x0000000000087000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1108-153-0x0000000000080000-0x0000000000087000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1108-154-0x0000000000A40000-0x0000000000A6F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1108-155-0x00000000011C0000-0x000000000150A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1108-158-0x0000000000F70000-0x0000000001003000-memory.dmp

      Filesize

      588KB

      Download

    • memory/2032-140-0x0000000000490000-0x0000000000492000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3200-149-0x00000000091C0000-0x00000000092D8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3200-159-0x00000000093A0000-0x0000000009512000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3200-160-0x00000000093A0000-0x0000000009512000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3200-162-0x00000000093A0000-0x0000000009512000-memory.dmp

      Filesize

      1.4MB

      Download