Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2023, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Sipariş formu 07.14.exe
Resource
win7-20230712-en
General
-
Target
Sipariş formu 07.14.exe
-
Size
263KB
-
MD5
719c522aec409b51c6868a77f80b6fa8
-
SHA1
416357c9f7ecc7e9a6e70e3703075f53846f176f
-
SHA256
7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde
-
SHA512
3bd2455092e7ed61838737f68c83e7f4e555dcd92a0a975eb4acff6dd9a08f3986d48afe82d563d8c3db0d1068801b370ad20b3ed517547ed74845a2f1249046
-
SSDEEP
6144:vYa6ZSSel/J61D4l7EMPHf6G+MDtSSfS606DHTtw7mkNlVxv4ODw:vYrvoJg6diG+MDG60OHTtw7mkZxvu
Malware Config
Extracted
formbook
4.1
b0y4
cayocabana.com
handbholidaylighting.com
bombastickmast.com
engageandexceltutoring.com
acdaiucdac.com
alfahifurniture.com
ageingxx.com
app-fintoch.com
quintanaatverde.com
theimperfectangel.com
usvisa-infu.com
774495.com
betjogue.com
jil-fashion.com
luxury-developments.com
tonestarconsulting.com
betonlineaustralia.com
oldglorywineandwhiskey.com
pemimmobiliare.com
carefourexpress.com
jx2grenier.com
myhealthsmartmove.com
jumpstartagent.com
pmstaffingllc.com
truetailed.com
1lhd.com
healthymedication.com
mop-in-motion.com
apps4parking.com
talkthepod.com
weixinrobots.com
dydolphinhof.com
korumetal.com
sywlsw.com
antriansalamun.com
5778777.com
5dp5dt.com
okhydrwhcqdyz.com
lacosyte.com
tiny-frames.com
jcrewct.com
mission-drone.com
toddsnymagazineder.com
hikuiaroe.com
one-john.com
wesleyhutchins.com
zilaso.xyz
alphataxfiler.com
growthackbay.com
satoo-blog.com
johnwilsoncontracting.com
qiandaoyuan.com
stotalav.com
kwycivzmr.com
wemeowz.com
amityequity.com
michaeldemskojr.com
tororancho.com
5069xcc.com
maygolfcartstag.com
undawn-wiki.com
turningauthority.com
docto360.com
waterdropfnilter.com
polybreadphx.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral2/memory/4120-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4120-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4120-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/504-156-0x0000000000FA0000-0x0000000000FCF000-memory.dmp formbook behavioral2/memory/504-158-0x0000000000FA0000-0x0000000000FCF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
pid Process 2196 Sipariş formu 07.14.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2196 set thread context of 4120 2196 Sipariş formu 07.14.exe 86 PID 4120 set thread context of 3116 4120 Sipariş formu 07.14.exe 45 PID 4120 set thread context of 3116 4120 Sipariş formu 07.14.exe 45 PID 504 set thread context of 3116 504 msdt.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe 504 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2196 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 4120 Sipariş formu 07.14.exe 504 msdt.exe 504 msdt.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 4120 Sipariş formu 07.14.exe Token: SeDebugPrivilege 504 msdt.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4120 2196 Sipariş formu 07.14.exe 86 PID 2196 wrote to memory of 4120 2196 Sipariş formu 07.14.exe 86 PID 2196 wrote to memory of 4120 2196 Sipariş formu 07.14.exe 86 PID 2196 wrote to memory of 4120 2196 Sipariş formu 07.14.exe 86 PID 3116 wrote to memory of 504 3116 Explorer.EXE 92 PID 3116 wrote to memory of 504 3116 Explorer.EXE 92 PID 3116 wrote to memory of 504 3116 Explorer.EXE 92 PID 504 wrote to memory of 528 504 msdt.exe 94 PID 504 wrote to memory of 528 504 msdt.exe 94 PID 504 wrote to memory of 528 504 msdt.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"3⤵PID:528
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5125ee622e7609b69342418d308d58d5f
SHA11260b84e326769819d38ea1c082e9f474ead439e
SHA2564bd5eb814b8be6ec702ff73b01056c315e1426172da219f2578884aec52e81f1
SHA5124636e9f4c869e5e147a2f8d45b9d814bc58df16784d5d062e9455b714cd73440c011c33ebdbcc35cdee54ee48424d963fa50849c0124c6d6519c804952b7ac4e