Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 10:38
Static task
static1
Behavioral task
behavioral1
Sample
PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
Resource
win7-20230220-en
General
-
Target
PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
-
Size
737KB
-
MD5
5a31e71dbdb0b31c5af2b1c1c32936ce
-
SHA1
aecf6320581856198779afec0c1e816961e9757d
-
SHA256
2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
-
SHA512
0bd1fc5ded778006ebbc2d6e9288dd5665b26bebb209d7ba40e8a08aa8c36eda35ef227b39958b493f06a06ddbea477b571332b2dd86c67c0806d71bf128341b
-
SSDEEP
12288:A79xzQKbXOJz0XXLyw+5iCxJ2rvvLTr8aSVd1Jkx1r7HrcFxJ+O2NimOMt+:lfz0HAiCubvLTar1Jkx1r7HrcFmO2NiQ
Malware Config
Extracted
formbook
4.1
c29i
chrestheryulelog.com
awesomecustomerservice.com
4455m.net
vonek76k.com
zwelishaprojects.africa
bbangnmoolgogi.com
howickmenswears.com
ba225.com
ipl2018livescore.com
ohprovider.co.uk
handymanservices.shop
1wzxtq.top
busy-people-gifts.com
invited.rsvp
heihei.fun
micloudlogin.page
hwyi1319.com
alitechnologyes.com
hysminai.com
liuyikj.com
709ai7d.store
burgerking.africa
debrislabs.xyz
live2024americanelection.com
versfeldboerdery.africa
dragonschristmas.com
bestway2.shop
cceasybuy.com
instantboost.africa
allianzcolombiana.com
fghre.com
iweb5logmt.com
efefsquirrel.buzz
nkechi.africa
garotospodres.com
corleanat.com
jamespadilladesigns.com
2022xin27.bar
bmardius.com
emstruckandtrailerrepair.com
gossitup.com
1wxsfy.top
danilov-geo.ru
jio6v.com
cell-phone-discover-now.life
hokahouse.top
gazmks.ru
jjssalonconcepts.com
icconnectors.icu
flavaflamez.shop
boudoirnxt.com
jennyslaughlovenation.online
investoren-projekte.com
feefree.net
aleutiancapitaltemp.com
kishoreganjpratidin.online
66y121.xyz
alphaoomega.academy
delitedentalclinic.com
027hq.net
kromaconstruction.com
dvtekhv.ru
aoiunionbank.com
masxot.xyz
01-buy.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/696-140-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/696-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/404-151-0x0000000000610000-0x000000000063F000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4996 set thread context of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 696 set thread context of 3116 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 52 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 404 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 404 ipconfig.exe 404 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 696 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe Token: SeDebugPrivilege 404 ipconfig.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4996 wrote to memory of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 4996 wrote to memory of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 4996 wrote to memory of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 4996 wrote to memory of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 4996 wrote to memory of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 4996 wrote to memory of 696 4996 PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe 93 PID 3116 wrote to memory of 404 3116 Explorer.EXE 94 PID 3116 wrote to memory of 404 3116 Explorer.EXE 94 PID 3116 wrote to memory of 404 3116 Explorer.EXE 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe"C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe"C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-