Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

724ad0f724...80.exe

windows7-x64

10

724ad0f724...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2023, 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    724ad0f724d2aba12940a1eeeede2980.exe

  • Size

    367KB

  • MD5

    724ad0f724d2aba12940a1eeeede2980

  • SHA1

    7c78985a6a73aabf2dc2dbbe4ef8f39f35f69c00

  • SHA256

    8d108254a8f52c795d01e4fa87ac70437873d1073e38c179716e5fa40816b82f

  • SHA512

    685041a0540ee78483811d31cae0807e8ed5e935557aa0f4d95b4f4a86ec2c68acd0925fe7245f61b0a5e978e29c036fa9d1cf873e56e9d7bcc98c8a5d6d7c6d

  • SSDEEP

    6144:7Ya6E9UJPbOrLRGNr8dPXw+kaBBIHtDhA7XbX5PGwhwtWT732fz0YThqHVTH6HuX:7Yq9UJzOa8w+kImHPm1LT73270FHHM78

Score
10/10
formbookhtqsratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

htqs

Decoy

calvingross.com

al-andalusi.shop

cartvey.com

omdestinationweddings.com

arolo.site

avh.life

lifesaversministrypakistan.com

91gag.com

sucessodenegocio.com

stillrockphotography.com

matrixpro.xyz

ingeborgbleonard.icu

gatorfunding.services

truevoicetea.com

rentz-elektro.com

winetasting.tips

nerdppc.com

weareroamingexpert.com

silvermacpro.com

grandmakadescustomquilts.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\724ad0f724d2aba12940a1eeeede2980.exe
      "C:\Users\Admin\AppData\Local\Temp\724ad0f724d2aba12940a1eeeede2980.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Users\Admin\AppData\Local\Temp\wmweglq.exe
        "C:\Users\Admin\AppData\Local\Temp\wmweglq.exe" C:\Users\Admin\AppData\Local\Temp\qicbf.ggy
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Users\Admin\AppData\Local\Temp\wmweglq.exe
          "C:\Users\Admin\AppData\Local\Temp\wmweglq.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:660
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1160
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:296
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:676
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:968
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:1912
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:804
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:1724
                  • C:\Windows\SysWOW64\autochk.exe
                    "C:\Windows\SysWOW64\autochk.exe"
                    2⤵
                      PID:1496
                    • C:\Windows\SysWOW64\autochk.exe
                      "C:\Windows\SysWOW64\autochk.exe"
                      2⤵
                        PID:692
                      • C:\Windows\SysWOW64\autochk.exe
                        "C:\Windows\SysWOW64\autochk.exe"
                        2⤵
                          PID:864
                        • C:\Windows\SysWOW64\autochk.exe
                          "C:\Windows\SysWOW64\autochk.exe"
                          2⤵
                            PID:1812
                          • C:\Windows\SysWOW64\autochk.exe
                            "C:\Windows\SysWOW64\autochk.exe"
                            2⤵
                              PID:324
                            • C:\Windows\SysWOW64\autochk.exe
                              "C:\Windows\SysWOW64\autochk.exe"
                              2⤵
                                PID:532
                              • C:\Windows\SysWOW64\autochk.exe
                                "C:\Windows\SysWOW64\autochk.exe"
                                2⤵
                                  PID:1508
                                • C:\Windows\SysWOW64\control.exe
                                  "C:\Windows\SysWOW64\control.exe"
                                  2⤵
                                  • Suspicious use of SetThreadContext
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: MapViewOfSection
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:576
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c del "C:\Users\Admin\AppData\Local\Temp\wmweglq.exe"
                                    3⤵
                                      PID:1516

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\qicbf.ggy
                                  Filesize

                                  5KB

                                  MD5

                                  b63e870c0753ecac6ad3f21fe5c374b3

                                  SHA1

                                  f78e63bc427f11b9abe5178453a9a00f40ae1475

                                  SHA256

                                  b8a07a3ebe99a8bed62b03f28730ecce686e017a72010519a5ad1bf7e62f1d14

                                  SHA512

                                  bb597965eb29cc7d88899cd5c9e01b72ab87d891cf8270c25be90239f927315a2237a7b5edb1f7c3e01240463ea65064a6f9c801c5eee912ddace3ee7ce2f789

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\usgayiiio.d
                                  Filesize

                                  205KB

                                  MD5

                                  9552ff76e1abf4e6578551cdad6a2672

                                  SHA1

                                  125cfb014dd7b708c9c76b1029d027042aeca6d7

                                  SHA256

                                  878c5ddb34e1c6ad12a5a47677ea2d1764853b3bebb1c4b2c0ba7fdb051be049

                                  SHA512

                                  30f3471c4ccae958654694272d0a802a915f2e7a0b3a31fbf0b040d9e3b7b7b21bf2c3ac2f6ebb7f98fdbd2be0e7fd4cd68730a598a20be7b8624f596714c112

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\wmweglq.exe
                                  Filesize

                                  329KB

                                  MD5

                                  d4f68ffac5d65806641a59c684b16df1

                                  SHA1

                                  c8b78594b2204248c1e87a0ab2c55b7f6c759027

                                  SHA256

                                  30ced78a4082bf00b00fcc45ebddbaf07f711f1a11f23a20f4dcbd0dd010ff10

                                  SHA512

                                  600d1179346c99f39fc7196c18813c3751f032f1c40f9a6820f5a636be3c743f46df3470856ca675b6ed29087eff8511e004b10d87e9bcb869741c6e841fc9f8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\wmweglq.exe
                                  Filesize

                                  329KB

                                  MD5

                                  d4f68ffac5d65806641a59c684b16df1

                                  SHA1

                                  c8b78594b2204248c1e87a0ab2c55b7f6c759027

                                  SHA256

                                  30ced78a4082bf00b00fcc45ebddbaf07f711f1a11f23a20f4dcbd0dd010ff10

                                  SHA512

                                  600d1179346c99f39fc7196c18813c3751f032f1c40f9a6820f5a636be3c743f46df3470856ca675b6ed29087eff8511e004b10d87e9bcb869741c6e841fc9f8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\wmweglq.exe
                                  Filesize

                                  329KB

                                  MD5

                                  d4f68ffac5d65806641a59c684b16df1

                                  SHA1

                                  c8b78594b2204248c1e87a0ab2c55b7f6c759027

                                  SHA256

                                  30ced78a4082bf00b00fcc45ebddbaf07f711f1a11f23a20f4dcbd0dd010ff10

                                  SHA512

                                  600d1179346c99f39fc7196c18813c3751f032f1c40f9a6820f5a636be3c743f46df3470856ca675b6ed29087eff8511e004b10d87e9bcb869741c6e841fc9f8

                                  Download Submit

                                • \Users\Admin\AppData\Local\Temp\wmweglq.exe
                                  Filesize

                                  329KB

                                  MD5

                                  d4f68ffac5d65806641a59c684b16df1

                                  SHA1

                                  c8b78594b2204248c1e87a0ab2c55b7f6c759027

                                  SHA256

                                  30ced78a4082bf00b00fcc45ebddbaf07f711f1a11f23a20f4dcbd0dd010ff10

                                  SHA512

                                  600d1179346c99f39fc7196c18813c3751f032f1c40f9a6820f5a636be3c743f46df3470856ca675b6ed29087eff8511e004b10d87e9bcb869741c6e841fc9f8

                                  Download Submit

                                • \Users\Admin\AppData\Local\Temp\wmweglq.exe
                                  Filesize

                                  329KB

                                  MD5

                                  d4f68ffac5d65806641a59c684b16df1

                                  SHA1

                                  c8b78594b2204248c1e87a0ab2c55b7f6c759027

                                  SHA256

                                  30ced78a4082bf00b00fcc45ebddbaf07f711f1a11f23a20f4dcbd0dd010ff10

                                  SHA512

                                  600d1179346c99f39fc7196c18813c3751f032f1c40f9a6820f5a636be3c743f46df3470856ca675b6ed29087eff8511e004b10d87e9bcb869741c6e841fc9f8

                                  Download Submit

                                • memory/576-78-0x0000000000D30000-0x0000000000D4F000-memory.dmp

                                  Filesize

                                  124KB

                                  Download

                                • memory/576-85-0x00000000008A0000-0x0000000000933000-memory.dmp

                                  Filesize

                                  588KB

                                  Download

                                • memory/576-83-0x0000000000080000-0x00000000000AF000-memory.dmp

                                  Filesize

                                  188KB

                                  Download

                                • memory/576-82-0x00000000009D0000-0x0000000000CD3000-memory.dmp

                                  Filesize

                                  3.0MB

                                  Download

                                • memory/576-81-0x0000000000080000-0x00000000000AF000-memory.dmp

                                  Filesize

                                  188KB

                                  Download

                                • memory/576-80-0x0000000000D30000-0x0000000000D4F000-memory.dmp

                                  Filesize

                                  124KB

                                  Download

                                • memory/660-65-0x0000000000400000-0x000000000042F000-memory.dmp

                                  Filesize

                                  188KB

                                  Download

                                • memory/660-76-0x0000000000400000-0x000000000042F000-memory.dmp

                                  Filesize

                                  188KB

                                  Download

                                • memory/660-74-0x0000000000390000-0x00000000003A4000-memory.dmp

                                  Filesize

                                  80KB

                                  Download

                                • memory/660-73-0x0000000000400000-0x000000000042F000-memory.dmp

                                  Filesize

                                  188KB

                                  Download

                                • memory/660-71-0x0000000000340000-0x0000000000354000-memory.dmp

                                  Filesize

                                  80KB

                                  Download

                                • memory/660-70-0x0000000000890000-0x0000000000B93000-memory.dmp

                                  Filesize

                                  3.0MB

                                  Download

                                • memory/1220-75-0x0000000006400000-0x00000000064FF000-memory.dmp

                                  Filesize

                                  1020KB

                                  Download

                                • memory/1220-72-0x00000000062E0000-0x00000000063F1000-memory.dmp

                                  Filesize

                                  1.1MB

                                  Download

                                • memory/1220-69-0x0000000000010000-0x0000000000020000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1220-86-0x0000000006500000-0x000000000660B000-memory.dmp

                                  Filesize

                                  1.0MB

                                  Download

                                • memory/1220-87-0x0000000006500000-0x000000000660B000-memory.dmp

                                  Filesize

                                  1.0MB

                                  Download

                                • memory/1220-89-0x0000000006500000-0x000000000660B000-memory.dmp

                                  Filesize

                                  1.0MB

                                  Download