Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2023, 10:33

General

  • Target

    69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0fexe_JC.exe

  • Size

    283KB

  • MD5

    3ebc4be338c1302a6f6e0bd7b54fe53e

  • SHA1

    815f0f48fa90603919cf33ba25f99cf0a4b9996d

  • SHA256

    69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0f

  • SHA512

    fac2ca3553cbad3c1f875e725cc65b116298c8b730902c4b7a0c48fbd957015e38d7df332bfc54266215407ac7f0059046aabf176e08f4e9bc945926fbeb3944

  • SSDEEP

    6144:/Ya6BoVt7aHVDMwNv7veEH06QgBQxj3yMu9LQs6QRVdk1g:/YTM7aBNv7vuIQ5yzaQu2

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sn26

Decoy

resenha10.bet

gulshan-rajput.com

xbus.tech

z813my.cfd

wlxzjlny.cfd

auntengotiempo.com

canada-reservation.com

thegiftcompany.shop

esthersilveirapropiedades.com

1wapws.top

ymjblnvo.cfd

termokimik.net

kushiro-artist-school.com

bmmboo.com

caceresconstructionservices.com

kentuckywalkabout.com

bringyourcart.com

miamiwinetour.com

bobcatsocial.site

thirdmind.network

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0fexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0fexe_JC.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2772
  • C:\Users\Admin\AppData\Local\Temp\69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0fexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\69b78313535ef2b6dc89c71b8c389907e8a02cccb5d9fdee05833d69aac84c0fexe_JC.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd92CF.tmp\bloacmpyke.dll

    Filesize

    138KB

    MD5

    47dc5740ac18d6324cc40f383058f095

    SHA1

    547e1bd449278f35ee2fa212a486bb12ad42ff84

    SHA256

    f3256c298bef3b4070df894a2497eccb7619554966299f2a4c26fcf94b7d541d

    SHA512

    53c9884adadab0a35c6941d96fdb28e47852aa4d1a77b2a96bd6c927ec618fc1b1f9bb4d868eda8a4d25f61b31d74ba3a2b2c96d7b118f7ceac4f78b9508e725

  • \Users\Admin\AppData\Local\Temp\nsd92CF.tmp\bloacmpyke.dll

    Filesize

    138KB

    MD5

    47dc5740ac18d6324cc40f383058f095

    SHA1

    547e1bd449278f35ee2fa212a486bb12ad42ff84

    SHA256

    f3256c298bef3b4070df894a2497eccb7619554966299f2a4c26fcf94b7d541d

    SHA512

    53c9884adadab0a35c6941d96fdb28e47852aa4d1a77b2a96bd6c927ec618fc1b1f9bb4d868eda8a4d25f61b31d74ba3a2b2c96d7b118f7ceac4f78b9508e725

  • memory/2340-61-0x0000000000390000-0x0000000000392000-memory.dmp

    Filesize

    8KB

  • memory/2772-64-0x0000000000910000-0x0000000000C13000-memory.dmp

    Filesize

    3.0MB

  • memory/2772-62-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB