Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2023, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Kaas Order 2023 pdf.exe
Resource
win7-20230712-en
General
-
Target
Kaas Order 2023 pdf.exe
-
Size
237KB
-
MD5
5caade9e8a1281ee68581e53631ec3ed
-
SHA1
77b9a0f424eed669f235accc64e22519148cd608
-
SHA256
ce4adf5f77ad3bf554ee6727abfe3c82e49ac5097e4e8d50ba2faba0d05b9c1d
-
SHA512
b657353982207ac455b50898a5c69b41eaf7953c88dec4635c3384e34c9ad3b79935871c37bd5eb01459dd2398f1186a42b9a2c8d310332201b27324d8ec760f
-
SSDEEP
3072:HfY/TU9fE9PEtu+bkUV+m5g1dBNvUEc4NprW779OXLMJIg6mZKIx6e7Mk1WVsb:/Ya62k1m5g1pUcc776xmgpk1esb
Malware Config
Extracted
formbook
4.1
sn26
resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
zachmahl.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/1812-140-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1812-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1320-151-0x0000000000370000-0x000000000039F000-memory.dmp formbook behavioral2/memory/1320-153-0x0000000000370000-0x000000000039F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
pid Process 4364 Kaas Order 2023 pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4364 set thread context of 1812 4364 Kaas Order 2023 pdf.exe 82 PID 1812 set thread context of 3132 1812 Kaas Order 2023 pdf.exe 63 PID 1320 set thread context of 3132 1320 netsh.exe 63 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1812 Kaas Order 2023 pdf.exe 1812 Kaas Order 2023 pdf.exe 1812 Kaas Order 2023 pdf.exe 1812 Kaas Order 2023 pdf.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe 1320 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3132 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4364 Kaas Order 2023 pdf.exe 1812 Kaas Order 2023 pdf.exe 1812 Kaas Order 2023 pdf.exe 1812 Kaas Order 2023 pdf.exe 1320 netsh.exe 1320 netsh.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1812 Kaas Order 2023 pdf.exe Token: SeDebugPrivilege 1320 netsh.exe Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4364 wrote to memory of 1812 4364 Kaas Order 2023 pdf.exe 82 PID 4364 wrote to memory of 1812 4364 Kaas Order 2023 pdf.exe 82 PID 4364 wrote to memory of 1812 4364 Kaas Order 2023 pdf.exe 82 PID 4364 wrote to memory of 1812 4364 Kaas Order 2023 pdf.exe 82 PID 3132 wrote to memory of 1320 3132 Explorer.EXE 84 PID 3132 wrote to memory of 1320 3132 Explorer.EXE 84 PID 3132 wrote to memory of 1320 3132 Explorer.EXE 84 PID 1320 wrote to memory of 2796 1320 netsh.exe 85 PID 1320 wrote to memory of 2796 1320 netsh.exe 85 PID 1320 wrote to memory of 2796 1320 netsh.exe 85
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\Kaas Order 2023 pdf.exe"C:\Users\Admin\AppData\Local\Temp\Kaas Order 2023 pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\Kaas Order 2023 pdf.exe"C:\Users\Admin\AppData\Local\Temp\Kaas Order 2023 pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Kaas Order 2023 pdf.exe"3⤵PID:2796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD563a97017f63052b3a9d2abbeecb3c39e
SHA1264a44877e1fc56393fc4049801b7968a33d26b7
SHA25663e77a05ddd8a2061a582ac1fd0354643b74bcbe2ce21bdaa23e6c95fc461402
SHA512a1f992deea0fe8dd19c276c88527f2f1a18ad4b24c50210a8fd9d198dde60d5ae1d5ef2df5a5ab10b32e3fc1892e0d6c02789f08e5795b2d5e4b99d02d4e7969