Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2023, 15:46
Static task
static1
Behavioral task
behavioral1
Sample
PO-230102_May 2023.exe
Resource
win7-20230220-en
General
-
Target
PO-230102_May 2023.exe
-
Size
222KB
-
MD5
41b41296821338a634d99d5b5c749ec1
-
SHA1
747470c76d47d50eaaa891edcc2f17b22b07d1c9
-
SHA256
272872a41e4e0ae720f6f61e50320720cf0313fe65d4c039334ed6c0cb7f37b0
-
SHA512
7e6e6892661051c9135ca042bc0af85dbbee366080ac326893a62666c4f54401bf1111b1c60c300f3a29b9ad26dfd71848a622215917f739d29ad882451e5ed0
-
SSDEEP
3072:d0gHHDGWvgDE4u+gCGHjEmELWQ88ffVls4:WkDBuEawAWE3Vls
Malware Config
Extracted
formbook
4.1
g3th
casemierlawncare.com
715harrison.com
laiwudj.com
jhy6id3bgsu.cfd
gewnaj.xyz
hullo.social
animejoyy.com
florenceodd.click
accountingassociatesil.com
cxuu39.shop
isabelladowns.com
checkstart.net
b2bmails.ru
wehantz.com
thejjwhyte.com
jerusalemfoundationsusa.com
newagreement19.com
findel.xyz
czanniversaryring.com
ape5n.com
historyszhuayears.com
homeseller.tips
storagerelax.com
internetsniandoing.com
erolemir.xyz
hsrnithplc.com
gundemozet.net
androidtau.com
adinf.co.uk
dgecai.cyou
csymd.com
lenaandbalazs.com
efefalive.buzz
kenyagov.info
thereallifeguild.net
affixbleach.online
dnsketoaqz.bar
primewindowsorigin.co.uk
amusangdam.xyz
halfpriceexams.com
locksmithexpressny.com
afifitravel.com
dn789slot.net
freshvoices.media
jhklk6565.site
ogdams.africa
monsters.boo
fastezsolar.com
diamond-parkplaza.com
bioup.xyz
printpig.co.uk
mocka.app
merxew.xyz
cndsmail.com
fuel-43574.com
38gaokk.com
bcrzyy.cfd
cactusreefranch.com
aidaomur.com
barangayzone6.tech
gmx-yy.com
bd0371.com
znjf.net
ecoenerone.com
fishingfound.work
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/2624-137-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2624-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4708-147-0x0000000001200000-0x000000000122F000-memory.dmp formbook behavioral2/memory/4708-149-0x0000000001200000-0x000000000122F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4508 set thread context of 2624 4508 PO-230102_May 2023.exe 87 PID 2624 set thread context of 3184 2624 MSBuild.exe 55 PID 4708 set thread context of 3184 4708 WWAHost.exe 55 -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 2624 MSBuild.exe 2624 MSBuild.exe 2624 MSBuild.exe 2624 MSBuild.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe 4708 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2624 MSBuild.exe 2624 MSBuild.exe 2624 MSBuild.exe 4708 WWAHost.exe 4708 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4508 PO-230102_May 2023.exe Token: SeDebugPrivilege 2624 MSBuild.exe Token: SeDebugPrivilege 4708 WWAHost.exe Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE Token: SeShutdownPrivilege 3184 Explorer.EXE Token: SeCreatePagefilePrivilege 3184 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4508 wrote to memory of 2624 4508 PO-230102_May 2023.exe 87 PID 4508 wrote to memory of 2624 4508 PO-230102_May 2023.exe 87 PID 4508 wrote to memory of 2624 4508 PO-230102_May 2023.exe 87 PID 4508 wrote to memory of 2624 4508 PO-230102_May 2023.exe 87 PID 4508 wrote to memory of 2624 4508 PO-230102_May 2023.exe 87 PID 4508 wrote to memory of 2624 4508 PO-230102_May 2023.exe 87 PID 3184 wrote to memory of 4708 3184 Explorer.EXE 89 PID 3184 wrote to memory of 4708 3184 Explorer.EXE 89 PID 3184 wrote to memory of 4708 3184 Explorer.EXE 89 PID 4708 wrote to memory of 2116 4708 WWAHost.exe 91 PID 4708 wrote to memory of 2116 4708 WWAHost.exe 91 PID 4708 wrote to memory of 2116 4708 WWAHost.exe 91
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\PO-230102_May 2023.exe"C:\Users\Admin\AppData\Local\Temp\PO-230102_May 2023.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:2116
-
-