Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2023, 14:35
Static task
static1
Behavioral task
behavioral1
Sample
rock997.exe
Resource
win7-20230220-en
General
-
Target
rock997.exe
-
Size
281KB
-
MD5
770b0aa37f47b6bda2c4aa82b686afaf
-
SHA1
a7f4627372d3277b5456f2b4ff9f40aceb7db68c
-
SHA256
c02565873b8fe1fe3a19ee5bca4d03a861d4768f48f8816311792b7632c63107
-
SHA512
1839733c9d37692852f3c5e604e5f16c12313f0f937d1f3a055eecc787e6c1ed9037b16f7df1735e9a04a983b1ac05505dd48f36dff203a0765d08fdef02e0da
-
SSDEEP
6144:/Ya6Nfn8Qna97f4k9uCH1+TmXbXPT0hpDMfWhj7U7Pitx1uK54IR0ycAJPI:/Yv/8Qna97A4nVOCT04v7atLuKmIR0UO
Malware Config
Extracted
formbook
4.1
re29
barnstorm-music.com
gazzettadellapuglia.com
baratieistore.space
cdrjdkj.com
carlissablog.com
langlalang.com
2886365.com
aq993.cyou
jwjwjwjw.com
car-deals-80304.com
dikevolesas.info
buycialistablets.online
theplantgranny.net
detoxshopbr.store
imans.biz
fightingcock.co.uk
loveforfurbabies.com
eastcoastbeveragegroup.com
alaaeldinsoft.com
microshel.com
deal-markt.com
hypothetical.systems
baxhakutrade.com
chiehhsikaoportfolio.com
brandsmania.net
follred.com
6566x14.app
defi88.com
h-skyseo.com
imagina-onshop.com
bambooleavescompany.com
cmojohnny.com
1whxgd.top
infernaljournal.app
kk156.net
chokolatk.com
guoshan-0800777216.com
funparty.rsvp
helenfallon.com
digitalmagazine.online
idealcutandtrim.com
bricoitalia.net
ecwid-store-copy.net
iljamusic.com
uvcon.africa
hoodiesupplycol.com
iilykt.top
continuousvoltage.com
josephajaogo.africa
baba-robot.ru
1wsfcg.top
hagfiw.xyz
firstcitizncb.com
calamitouscrochet.shop
829727.com
eleonorasdaycare.com
lafourmiprovencal.ch
corollacompany.africa
acorsgroup.com
jabberglotty.com
akhlit.com
kompetenceboersen.online
fxtcb8.site
whetegeneralprojects.africa
senriki.net
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/1168-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1168-148-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2624-152-0x0000000000530000-0x000000000055F000-memory.dmp formbook behavioral2/memory/2624-154-0x0000000000530000-0x000000000055F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 992 krzbxu.exe 1168 krzbxu.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 992 set thread context of 1168 992 krzbxu.exe 86 PID 1168 set thread context of 2780 1168 krzbxu.exe 51 PID 2624 set thread context of 2780 2624 control.exe 51 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1168 krzbxu.exe 1168 krzbxu.exe 1168 krzbxu.exe 1168 krzbxu.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe 2624 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 992 krzbxu.exe 1168 krzbxu.exe 1168 krzbxu.exe 1168 krzbxu.exe 2624 control.exe 2624 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1168 krzbxu.exe Token: SeDebugPrivilege 2624 control.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1916 wrote to memory of 992 1916 rock997.exe 84 PID 1916 wrote to memory of 992 1916 rock997.exe 84 PID 1916 wrote to memory of 992 1916 rock997.exe 84 PID 992 wrote to memory of 1168 992 krzbxu.exe 86 PID 992 wrote to memory of 1168 992 krzbxu.exe 86 PID 992 wrote to memory of 1168 992 krzbxu.exe 86 PID 992 wrote to memory of 1168 992 krzbxu.exe 86 PID 2780 wrote to memory of 2624 2780 Explorer.EXE 87 PID 2780 wrote to memory of 2624 2780 Explorer.EXE 87 PID 2780 wrote to memory of 2624 2780 Explorer.EXE 87 PID 2624 wrote to memory of 1540 2624 control.exe 88 PID 2624 wrote to memory of 1540 2624 control.exe 88 PID 2624 wrote to memory of 1540 2624 control.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\rock997.exe"C:\Users\Admin\AppData\Local\Temp\rock997.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"C:\Users\Admin\AppData\Local\Temp\krzbxu.exe" C:\Users\Admin\AppData\Local\Temp\lgpjpyltwb.xsh3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"3⤵PID:1540
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD57793dd06bf27114affbfddc7e43776f0
SHA12aefa98cf10eca923a83d5e12cf58e59ed57e8ff
SHA2563d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c
SHA512d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888
-
Filesize
93KB
MD57793dd06bf27114affbfddc7e43776f0
SHA12aefa98cf10eca923a83d5e12cf58e59ed57e8ff
SHA2563d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c
SHA512d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888
-
Filesize
93KB
MD57793dd06bf27114affbfddc7e43776f0
SHA12aefa98cf10eca923a83d5e12cf58e59ed57e8ff
SHA2563d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c
SHA512d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888
-
Filesize
5KB
MD5e90cdc2f987e0fb1f880635a2444a376
SHA15c0ad72f848c73c40c34a8e36cce08a046ba41a2
SHA25604bffe239f42f4d64df22daaf1ea0c9803e4c0aa094b30fd95dd6b675d5392c7
SHA512df607591e78345f85c89a99accf9e5c0d55331eb8701fc4b0c6e2a8cb34381daa456fc52acc39a60bd9679ea6f47c246d8de3db951986adba5c74e1e2ef37ed5
-
Filesize
205KB
MD55087adea0b5f152af8763de0dd77ae61
SHA1b18f566dd8fd1a8fd616b16b087092566e2e2229
SHA256d79eaf52aa4cae85609cac0070b15596a88f05cc46a1581ddbaff6bbfd50d7b8
SHA512ee13310cd18e71bdf5f4b58221a531eae1fc4489644cbf4055ca0e9f96d39a1bd4b62811d62071f13e56a7cf06b300bbf6ad747f3a22ea1d5339ef0441788df8