Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2023, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
MTCN TELLER RECEIPT.exe
Resource
win7-20230220-en
General
-
Target
MTCN TELLER RECEIPT.exe
-
Size
237KB
-
MD5
f9726a7a881f7182123ee36679c4d09b
-
SHA1
53b28856a51b66195ff4a3b799642b8d1f7025db
-
SHA256
9472d7a4e6028ef04c5b1a1a57844a3198229bd209b68c1d3534123e4fad8fb2
-
SHA512
1ea087c3d7311dbd07eeb03c4ca9ef37236fac517f11a305849ab022b8645baffd947d9e794f0418b6050a25f4a3b8f35137ad5f76591cb10e526df04050ac02
-
SSDEEP
6144:/Ya6i74F0L4ddME6oV38O0+yn9utn3HND:/YUcmL4X6oB8O0+Nt3HND
Malware Config
Extracted
formbook
4.1
ke03
fastartcustom.com
ikanggabus.xyz
aevum.ru
lacarretapps.com
arcaneacquisitions.net
fuulyshop.com
bloodbahis278.com
bullardrvpark.com
cowboy-hostel.xyz
empireoba.com
the-windsor-h.africa
help-desk-td.com
dofirosols.life
efefarmy.buzz
kewwrf.top
autoran.co.uk
moodysanalytics.boo
kulturemarket.com
ffwpu-kenya.com
heykon.com
blueskyauberge.com
hiroseringyou.com
capitolau.com
apiverity.com
ashcroftbathco.co.uk
khalifa-dubai.com
emailstodollars.com
efeffluttering.buzz
digitapursuit.com
baburg.com
betterworldmarketing.shop
kopaczynska.com
damonandlovell.com
jingchuangroup.com
duodianji.com
shengguangxinxi.com
lifestylemotoring.co.uk
bartoncourt.org.uk
girldatefy.com
conradrawford.click
nextratedmusic.africa
jehucapital.com
aceproductions.net
almasrd.com
complstein.com
cb5dj.com
glifingcr.com
beatsbyche.com
bejaiasoisobservateur.com
lqdwqy.top
frykuv.xyz
huxiaotangtattoo.com
installinverter.africa
credeo.uk
ciaottanperu.com
ilovemeta.vip
hpid.co.uk
67812.vet
avs-omsk.online
starshiptroopers.net
cryptoplaza.app
lingshiol.com
honorglasspackaging.com
cannabismapsny.com
bakkenmetkinderen.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/680-69-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/680-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1872-80-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1872-82-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 1460 otmflulrvh.exe 680 otmflulrvh.exe -
Loads dropped DLL 3 IoCs
pid Process 1212 MTCN TELLER RECEIPT.exe 1212 MTCN TELLER RECEIPT.exe 1460 otmflulrvh.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1460 set thread context of 680 1460 otmflulrvh.exe 29 PID 680 set thread context of 1260 680 otmflulrvh.exe 16 PID 1872 set thread context of 1260 1872 NAPSTAT.EXE 16 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 680 otmflulrvh.exe 680 otmflulrvh.exe 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1460 otmflulrvh.exe 680 otmflulrvh.exe 680 otmflulrvh.exe 680 otmflulrvh.exe 1872 NAPSTAT.EXE 1872 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 680 otmflulrvh.exe Token: SeDebugPrivilege 1872 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1460 1212 MTCN TELLER RECEIPT.exe 28 PID 1212 wrote to memory of 1460 1212 MTCN TELLER RECEIPT.exe 28 PID 1212 wrote to memory of 1460 1212 MTCN TELLER RECEIPT.exe 28 PID 1212 wrote to memory of 1460 1212 MTCN TELLER RECEIPT.exe 28 PID 1460 wrote to memory of 680 1460 otmflulrvh.exe 29 PID 1460 wrote to memory of 680 1460 otmflulrvh.exe 29 PID 1460 wrote to memory of 680 1460 otmflulrvh.exe 29 PID 1460 wrote to memory of 680 1460 otmflulrvh.exe 29 PID 1460 wrote to memory of 680 1460 otmflulrvh.exe 29 PID 1260 wrote to memory of 1872 1260 Explorer.EXE 30 PID 1260 wrote to memory of 1872 1260 Explorer.EXE 30 PID 1260 wrote to memory of 1872 1260 Explorer.EXE 30 PID 1260 wrote to memory of 1872 1260 Explorer.EXE 30 PID 1872 wrote to memory of 1936 1872 NAPSTAT.EXE 31 PID 1872 wrote to memory of 1936 1872 NAPSTAT.EXE 31 PID 1872 wrote to memory of 1936 1872 NAPSTAT.EXE 31 PID 1872 wrote to memory of 1936 1872 NAPSTAT.EXE 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe" C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rk3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
-
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"3⤵PID:1936
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD56c642712d39637fc8ced74cb3dcc7903
SHA1ff0ddab33f478889515a061e7763f235450cb8f9
SHA2563349be17dc030f34b0d2a9067897b91b45d87d585531fc108463be9174aab3c8
SHA512290e24095925a6ce7c48e523f8fbccd22e8aab4481bd437850d411dd79f7f8cefa015aff0838b1d565c07a6623f4045aa904093a889b7d0a0b7fd7cf4baaa9b0
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
Filesize
5KB
MD5bc7836f77f8028836397e690f4e998ed
SHA1dedfbfcb4399bf6e90a2005ae6911b602ff2fef1
SHA256fd133ec88368b5125c6e886efc0f30e345eec49a887169a904601fb3c5e50dcf
SHA512167e5f00b11409cade03214794bb146ff7db3ab62fd44620fddd98b64c81049ae5de4ccc57320a205554e957e6ce6b306a4525fec0d954b7629c819ce478c8af
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
Filesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e