Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2023, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
PO610008532.exe
Resource
win7-20230220-en
General
-
Target
PO610008532.exe
-
Size
2.0MB
-
MD5
b7dc4b65e6239c0d20bcb4b59f5c644c
-
SHA1
e166cebfa0fb6e9e04f64f2f61dca71b49ef9e44
-
SHA256
3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0
-
SHA512
851b73419737a32ce06701e1d5ecbc32be6a5777709460a81afdc92d2b8ca322ae3fd93650610959f7921b41ae5ef99d2859a9949918f94fe4a673b759ed2607
-
SSDEEP
12288:D/cOS13ZjYXegrTuXXlC+pEXdOMnmfVWWd8wWDOZQgOxwr:afPWDOZQ
Malware Config
Extracted
formbook
4.1
wm23
ntjhe.com
180yq.com
bcxlb.com
haefelinger.net
bkwbroadcasting.com
kastraestates.co.uk
ayasca.com
89spa.com
denizmobile-com-tr.net
5nrb3v.site
dewi.africa
darnacme.online
satovsky.rsvp
deluxhomefurnishings.com
igminitruckersolingen.com
celtictransportie.com
deltakrian.com
bassettsrestauranttogo.com
digitalcharts.xyz
glassbong.life
howtomakemillionsnow.com
aoeidc.com
hometownholidays.club
hospitalsarvoday.com
brandname.one
bijouryjewels.com
argana-bremen.biz
fivestarfarms.net
finxs-asp.top
abandoned-houses-37685.com
artepuliafico.art
fasteasysolutions.com
szxh888.com
hayfevertips.uk
hemsguide.com
joemaddoxart.com
167200.com
kitspatemcopa.online
jaelstore.com
illuvium.business
edenandhive.co.uk
b33217.com
hogarimiscelanea.com
blackdogclassics.com
cryptoeconomicus.com
hpki.space
lastbetter.online
lasvegasdailynews.online
circlewin7777.com
cc-isssteson.club
aiao.vip
dljinbaoli.com
kurax.dev
bywek.online
gencertarim.com
meyamining.co.uk
callaghanoutlet.com
fashionclick.boutique
americanconfortos.com
weijingshijie.com
beanxph.com
1997shijue.com
ladylantern.com
lifeatvieleven.com
elparaisodelcementodemadrid.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/2336-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4680-155-0x0000000000980000-0x00000000009AF000-memory.dmp formbook behavioral2/memory/4680-157-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 8 set thread context of 2336 8 PO610008532.exe 84 PID 2336 set thread context of 2616 2336 PO610008532.exe 19 PID 4680 set thread context of 2616 4680 netsh.exe 19 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe 8 PO610008532.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2616 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2336 PO610008532.exe 2336 PO610008532.exe 2336 PO610008532.exe 4680 netsh.exe 4680 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 8 PO610008532.exe Token: SeDebugPrivilege 2336 PO610008532.exe Token: SeDebugPrivilege 4680 netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 8 wrote to memory of 2336 8 PO610008532.exe 84 PID 8 wrote to memory of 2336 8 PO610008532.exe 84 PID 8 wrote to memory of 2336 8 PO610008532.exe 84 PID 8 wrote to memory of 2336 8 PO610008532.exe 84 PID 8 wrote to memory of 2336 8 PO610008532.exe 84 PID 8 wrote to memory of 2336 8 PO610008532.exe 84 PID 2616 wrote to memory of 4680 2616 Explorer.EXE 92 PID 2616 wrote to memory of 4680 2616 Explorer.EXE 92 PID 2616 wrote to memory of 4680 2616 Explorer.EXE 92 PID 4680 wrote to memory of 2268 4680 netsh.exe 93 PID 4680 wrote to memory of 2268 4680 netsh.exe 93 PID 4680 wrote to memory of 2268 4680 netsh.exe 93
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"3⤵PID:2268
-
-