Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14/07/2023, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Sipariş formu 07.14.exe
Resource
win7-20230712-en
General
-
Target
Sipariş formu 07.14.exe
-
Size
263KB
-
MD5
719c522aec409b51c6868a77f80b6fa8
-
SHA1
416357c9f7ecc7e9a6e70e3703075f53846f176f
-
SHA256
7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde
-
SHA512
3bd2455092e7ed61838737f68c83e7f4e555dcd92a0a975eb4acff6dd9a08f3986d48afe82d563d8c3db0d1068801b370ad20b3ed517547ed74845a2f1249046
-
SSDEEP
6144:vYa6ZSSel/J61D4l7EMPHf6G+MDtSSfS606DHTtw7mkNlVxv4ODw:vYrvoJg6diG+MDG60OHTtw7mkZxvu
Malware Config
Extracted
formbook
4.1
b0y4
cayocabana.com
handbholidaylighting.com
bombastickmast.com
engageandexceltutoring.com
acdaiucdac.com
alfahifurniture.com
ageingxx.com
app-fintoch.com
quintanaatverde.com
theimperfectangel.com
usvisa-infu.com
774495.com
betjogue.com
jil-fashion.com
luxury-developments.com
tonestarconsulting.com
betonlineaustralia.com
oldglorywineandwhiskey.com
pemimmobiliare.com
carefourexpress.com
jx2grenier.com
myhealthsmartmove.com
jumpstartagent.com
pmstaffingllc.com
truetailed.com
1lhd.com
healthymedication.com
mop-in-motion.com
apps4parking.com
talkthepod.com
weixinrobots.com
dydolphinhof.com
korumetal.com
sywlsw.com
antriansalamun.com
5778777.com
5dp5dt.com
okhydrwhcqdyz.com
lacosyte.com
tiny-frames.com
jcrewct.com
mission-drone.com
toddsnymagazineder.com
hikuiaroe.com
one-john.com
wesleyhutchins.com
zilaso.xyz
alphataxfiler.com
growthackbay.com
satoo-blog.com
johnwilsoncontracting.com
qiandaoyuan.com
stotalav.com
kwycivzmr.com
wemeowz.com
amityequity.com
michaeldemskojr.com
tororancho.com
5069xcc.com
maygolfcartstag.com
undawn-wiki.com
turningauthority.com
docto360.com
waterdropfnilter.com
polybreadphx.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2188-61-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2188-65-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/776-73-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/776-75-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2016 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1664 Sipariş formu 07.14.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1664 set thread context of 2188 1664 Sipariş formu 07.14.exe 28 PID 2188 set thread context of 1212 2188 Sipariş formu 07.14.exe 22 PID 776 set thread context of 1212 776 cmmon32.exe 22 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2188 Sipariş formu 07.14.exe 2188 Sipariş formu 07.14.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe 776 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1664 Sipariş formu 07.14.exe 2188 Sipariş formu 07.14.exe 2188 Sipariş formu 07.14.exe 2188 Sipariş formu 07.14.exe 776 cmmon32.exe 776 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2188 Sipariş formu 07.14.exe Token: SeDebugPrivilege 776 cmmon32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2188 1664 Sipariş formu 07.14.exe 28 PID 1664 wrote to memory of 2188 1664 Sipariş formu 07.14.exe 28 PID 1664 wrote to memory of 2188 1664 Sipariş formu 07.14.exe 28 PID 1664 wrote to memory of 2188 1664 Sipariş formu 07.14.exe 28 PID 1664 wrote to memory of 2188 1664 Sipariş formu 07.14.exe 28 PID 1212 wrote to memory of 776 1212 Explorer.EXE 29 PID 1212 wrote to memory of 776 1212 Explorer.EXE 29 PID 1212 wrote to memory of 776 1212 Explorer.EXE 29 PID 1212 wrote to memory of 776 1212 Explorer.EXE 29 PID 776 wrote to memory of 2016 776 cmmon32.exe 30 PID 776 wrote to memory of 2016 776 cmmon32.exe 30 PID 776 wrote to memory of 2016 776 cmmon32.exe 30 PID 776 wrote to memory of 2016 776 cmmon32.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"3⤵
- Deletes itself
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5125ee622e7609b69342418d308d58d5f
SHA11260b84e326769819d38ea1c082e9f474ead439e
SHA2564bd5eb814b8be6ec702ff73b01056c315e1426172da219f2578884aec52e81f1
SHA5124636e9f4c869e5e147a2f8d45b9d814bc58df16784d5d062e9455b714cd73440c011c33ebdbcc35cdee54ee48424d963fa50849c0124c6d6519c804952b7ac4e