Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

order spec...on.exe

windows7-x64

10

order spec...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2023, 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order specification.exe

  • Size

    684KB

  • MD5

    e4b4f25fdbd4a82ef0df9076ec6dd250

  • SHA1

    35a27a55da6c5c6c65292289d95469cd4ec0bff9

  • SHA256

    0480f30f1070d12b3231c495ee15699f09049f1c5bc19e889ebd2f3571bd4ab7

  • SHA512

    848f2178541a9302e93c3558f0320bc5d922128407b03dbfaa20702584fc67e1722f4ac46974ad8a7b918af2d78fd86903728d518ec2f5f4d66bb74474347902

  • SSDEEP

    12288:ptOFx0YPX/NqPsAogO01MnY7Zzrgb7Siqumatg8BaNd2h/:ptOwHPsAA0eGgb+iquBaNG/

Score
10/10
formbooko17iratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o17i

Decoy

chocolatebarreview.com

fetch-a-trabajos-canada.info

expresspestcontrol.net

tractionx.co.uk

vitalassetsecurity.com

lahtawine.ru

firedamagereports.com

bentzenphotography.com

digitalworkforces.com

divnoe.online

efefbig.buzz

melhardy.co.uk

igorsolutions.com

developmentszhuiservice.com

fookspace.com

kredaroo.com

4zpm.xyz

kycecat.cfd

singingriverhomeimprovement.com

bils.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\order specification.exe
      "C:\Users\Admin\AppData\Local\Temp\order specification.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ShUpVIVzyjGX.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ShUpVIVzyjGX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1916.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4172
      • C:\Users\Admin\AppData\Local\Temp\order specification.exe
        "C:\Users\Admin\AppData\Local\Temp\order specification.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\order specification.exe"
        3⤵
          PID:5112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1fl3qdj.kwk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1916.tmp
      Filesize

      1KB

      MD5

      f92a527cf6a16aa41b86cc94e50443de

      SHA1

      9317c0c6f76d56189e9eaf1018747b7df57a2f65

      SHA256

      42404dfd7f4ff9edc509073c3c5bc4d28a09ead42b0e5e57b4b1b612b0f76803

      SHA512

      fea56490f79a1878f9ab5b8b7e1a5b220bdd56634997c8b7493743737400de88a46ed0a1cb5987a8f68e9117c26f20a7a5115336c5118532ac050db36773cd41

      Download Submit

    • memory/1400-134-0x0000000005A20000-0x0000000005FC4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1400-135-0x0000000005470000-0x0000000005502000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1400-136-0x00000000053E0000-0x00000000053EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1400-137-0x00000000056D0000-0x00000000056E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1400-138-0x00000000056D0000-0x00000000056E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1400-139-0x0000000006540000-0x00000000065DC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1400-133-0x00000000009B0000-0x0000000000A60000-memory.dmp

      Filesize

      704KB

      Download

    • memory/1796-169-0x0000000071AC0000-0x0000000071B0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1796-186-0x0000000007580000-0x000000000759A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1796-149-0x0000000004FF0000-0x0000000005012000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1796-146-0x00000000051A0000-0x00000000057C8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1796-150-0x00000000058A0000-0x0000000005906000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1796-161-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-156-0x0000000005910000-0x0000000005976000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1796-163-0x0000000005F30000-0x0000000005F4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1796-187-0x0000000007560000-0x0000000007568000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1796-184-0x00000000074C0000-0x0000000007556000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1796-185-0x0000000007470000-0x000000000747E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1796-167-0x0000000004B60000-0x0000000004B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-168-0x0000000006510000-0x0000000006542000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1796-144-0x0000000002630000-0x0000000002666000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1796-179-0x00000000064F0000-0x000000000650E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1796-180-0x0000000007890000-0x0000000007F0A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1796-181-0x0000000007240000-0x000000000725A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1796-182-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-183-0x00000000072C0000-0x00000000072CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3152-192-0x00000000052F0000-0x00000000053DA000-memory.dmp

      Filesize

      936KB

      Download

    • memory/3152-166-0x0000000003000000-0x000000000317E000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3152-204-0x0000000008270000-0x0000000008321000-memory.dmp

      Filesize

      708KB

      Download

    • memory/3152-202-0x0000000008270000-0x0000000008321000-memory.dmp

      Filesize

      708KB

      Download

    • memory/3152-201-0x0000000008270000-0x0000000008321000-memory.dmp

      Filesize

      708KB

      Download

    • memory/4736-200-0x00000000010A0000-0x0000000001134000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4736-194-0x0000000000010000-0x000000000001A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4736-195-0x0000000000010000-0x000000000001A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4736-197-0x00000000012A0000-0x00000000015EA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4736-196-0x0000000000A10000-0x0000000000A3F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4736-198-0x0000000000A10000-0x0000000000A3F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4788-147-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4788-193-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4788-191-0x0000000001420000-0x0000000001435000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4788-190-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4788-164-0x0000000001450000-0x000000000179A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4788-165-0x00000000013C0000-0x00000000013D5000-memory.dmp

      Filesize

      84KB

      Download