Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/06/2023, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
DB_DHL_AWB_001833022AD.exe
Resource
win7-20230220-en
General
-
Target
DB_DHL_AWB_001833022AD.exe
-
Size
756KB
-
MD5
2d985f3b5851efc28e57c98a70b9de4f
-
SHA1
2d9b300138b372777cde6cbc41526121dfc2663d
-
SHA256
0daf37a7f327ddc858e1c6c4a02974012fb9434de66256402c8091561ae16fd4
-
SHA512
a9f9f73024a19283c368a2cc011d6e1cfdac63bf6786ca1ec9e8d765b67e105767ec62546b9339b58b2494c44e3ad51ee1614fd52073151bde2c638c0d6940ac
-
SSDEEP
12288:IfCk22F22E22U22FAMTihh6xhZ6OrFIu/ZSwJBmLAMPeDKklYQ+zM4HkOKuTDNLO:Tk22F22E22U22eMUgh8yFI6SuW0v+zMh
Malware Config
Extracted
formbook
4.1
cs94
dhaliwal3.com
iptvebay.shop
hsfgass33.top
cammali.com
dcleaningseevicesltd.co.uk
amzosecsn-jp.icu
builtmedia.co.uk
duoguang.top
forumken.net
cqivrh.cfd
lr-nexusark.com
carrirae.shop
jtownexclusive.africa
georoiddemo.online
lefinet.com
otc.rsvp
kitchenpharmacy.co.uk
bbywafz248xca4.com
digijockey.com
9-ji.com
econetv.com
greatonlineshoppingmall.com
requestwebques.online
carpetexperss.com
yuvmh.xyz
nadraservicecentre.co.uk
azerya.tech
chat784.com
houseecare.com
gh-socio.com
cookfleet.xyz
testhamsa.net
humanlongevity.xyz
dhfjda8.com
fantastika.online
lan26.ru
breastcancermascot.com
audley.boo
coandcocoon.com
hollywiancko.com
lazarnejad.com
brocomole.com
carolinacoastalrealestate.homes
franciscoarteaga.com
healthproduct.site
dhubdigitalsolutions.africa
daugoivn.com
domestig.africa
hdwebsite4.info
akinsrealtystation.com
megagist.africa
2826casino.com
jrmastering.ch
independentbmwdiagnostics.co.uk
camoeyes.boo
hgfadhgadfyta.top
lhv-turvakontroll.com
iseedifferent.com
balikesirjenerator.com
hability.xyz
tinawebdesigns.africa
liuyao168.com
rrscu.com
1paikunaway.com
24hrlaundry.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/580-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/580-70-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/516-76-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/516-78-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 1740 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1808 set thread context of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 580 set thread context of 1220 580 DB_DHL_AWB_001833022AD.exe 13 PID 516 set thread context of 1220 516 cmmon32.exe 13 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1808 DB_DHL_AWB_001833022AD.exe 1808 DB_DHL_AWB_001833022AD.exe 1808 DB_DHL_AWB_001833022AD.exe 1808 DB_DHL_AWB_001833022AD.exe 1808 DB_DHL_AWB_001833022AD.exe 1808 DB_DHL_AWB_001833022AD.exe 580 DB_DHL_AWB_001833022AD.exe 580 DB_DHL_AWB_001833022AD.exe 768 powershell.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe 516 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 580 DB_DHL_AWB_001833022AD.exe 580 DB_DHL_AWB_001833022AD.exe 580 DB_DHL_AWB_001833022AD.exe 516 cmmon32.exe 516 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1808 DB_DHL_AWB_001833022AD.exe Token: SeDebugPrivilege 580 DB_DHL_AWB_001833022AD.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 516 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1808 wrote to memory of 768 1808 DB_DHL_AWB_001833022AD.exe 28 PID 1808 wrote to memory of 768 1808 DB_DHL_AWB_001833022AD.exe 28 PID 1808 wrote to memory of 768 1808 DB_DHL_AWB_001833022AD.exe 28 PID 1808 wrote to memory of 768 1808 DB_DHL_AWB_001833022AD.exe 28 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1808 wrote to memory of 580 1808 DB_DHL_AWB_001833022AD.exe 30 PID 1220 wrote to memory of 516 1220 Explorer.EXE 31 PID 1220 wrote to memory of 516 1220 Explorer.EXE 31 PID 1220 wrote to memory of 516 1220 Explorer.EXE 31 PID 1220 wrote to memory of 516 1220 Explorer.EXE 31 PID 516 wrote to memory of 1740 516 cmmon32.exe 32 PID 516 wrote to memory of 1740 516 cmmon32.exe 32 PID 516 wrote to memory of 1740 516 cmmon32.exe 32 PID 516 wrote to memory of 1740 516 cmmon32.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\DB_DHL_AWB_001833022AD.exe"C:\Users\Admin\AppData\Local\Temp\DB_DHL_AWB_001833022AD.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DB_DHL_AWB_001833022AD.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\DB_DHL_AWB_001833022AD.exe"C:\Users\Admin\AppData\Local\Temp\DB_DHL_AWB_001833022AD.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DB_DHL_AWB_001833022AD.exe"3⤵
- Deletes itself
PID:1740
-
-