Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/05/2023, 16:29
Static task
static1
Behavioral task
behavioral1
Sample
74291.exe
Resource
win7-20230220-en
General
-
Target
74291.exe
-
Size
638KB
-
MD5
d4f369f573c973d833f5060c6b80e929
-
SHA1
1ef7c6cf58b39dba64d282d701f5992acfae830e
-
SHA256
79f878be696492904510496633fcdc7458f7b2e2efb373f7d097b2276a708e51
-
SHA512
e57e29b18f75b94445fa732aac2c31a1d30bb2011442b2736073bdabd12949d057bcae7f340f6f26619e70e86cc95a099fca4cb3a654880c6189f30901e6cdae
-
SSDEEP
12288:C2N8jiZ4zypIPEtPplTY6RhKuEX1n+sDUyHVCw0VkKL3QXtzx/yffqx:C2N8jiZ4zypIPEJTDE/X1n+iUy1Cwogo
Malware Config
Extracted
formbook
4.1
a2e2
emptylegtrip.com
figge.shop
euro-easy-capital.com
coinsbaseotc.com
midnight-iohk.net
cweas.online
pennymanning.net
shiehkids.net
undawear.africa
aheartfelttouch.com
attorneycaraccidents.net
colourkodedllc.com
love2lovebeautifulpleasures.com
loan-fha-now.com
mdc-shop.net
chooselifeministriescenter.com
oliverhodkinson.co.uk
data-link.site
foxton.store
dongtay.group
benjaminlucas.site
eldamarsanxenxo.com
b0onsupply.com
smartmlspropkit.net
11c.tokyo
meldrumsceres.co.uk
vavic.net
naijajacks.africa
inkwellfinance.com
eddiebeachshack.com
jpstonemartinc.com
honghuo1457.top
eklof.email
felizhouse-okna.ru
yoursolared.com
electriciannewbedfordma.com
calisrootjuice.com
ev-rum.com
hashtag-radio.net
hustleinc.net
jidobrothers.africa
geekyai.com
fightexplorer.com
ccclabs.net
originallyusaka.com
chrisyeo.click
bartkroconsulting.com
bozartart.club
hvacplusllc.com
displayelectricalservices.com
asaldl.xyz
daisywolf.top
arrayholidaytravels.com
visionscreeners.africa
ebenezerbandeira.com
saintbaptistellp.co.uk
amazingvictoria.shop
clkfoot.com
lovlex.com
b21385aa.com
bikenbells.com
livepureandhealthy.africa
whynotapp.net
btmovi.love
somersetcorp.co.uk
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/1500-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1500-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1364-73-0x0000000000070000-0x000000000009F000-memory.dmp formbook behavioral1/memory/1364-75-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 1332 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1444 set thread context of 1500 1444 74291.exe 28 PID 1500 set thread context of 1264 1500 74291.exe 14 PID 1364 set thread context of 1264 1364 cscript.exe 14 -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1444 74291.exe 1444 74291.exe 1444 74291.exe 1444 74291.exe 1444 74291.exe 1444 74291.exe 1500 74291.exe 1500 74291.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe 1364 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1500 74291.exe 1500 74291.exe 1500 74291.exe 1364 cscript.exe 1364 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1444 74291.exe Token: SeDebugPrivilege 1500 74291.exe Token: SeDebugPrivilege 1364 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1444 wrote to memory of 1500 1444 74291.exe 28 PID 1264 wrote to memory of 1364 1264 Explorer.EXE 29 PID 1264 wrote to memory of 1364 1264 Explorer.EXE 29 PID 1264 wrote to memory of 1364 1264 Explorer.EXE 29 PID 1264 wrote to memory of 1364 1264 Explorer.EXE 29 PID 1364 wrote to memory of 1332 1364 cscript.exe 30 PID 1364 wrote to memory of 1332 1364 cscript.exe 30 PID 1364 wrote to memory of 1332 1364 cscript.exe 30 PID 1364 wrote to memory of 1332 1364 cscript.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\74291.exe"C:\Users\Admin\AppData\Local\Temp\74291.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\74291.exe"C:\Users\Admin\AppData\Local\Temp\74291.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\74291.exe"3⤵
- Deletes itself
PID:1332
-
-