Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
18/08/2023, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
Swift TT Copy pdf.exe
Resource
win7-20230712-en
General
-
Target
Swift TT Copy pdf.exe
-
Size
274KB
-
MD5
becff9b703669062005159bd35dc315d
-
SHA1
042b87bb8d7f28e363a6f3de67d37b0cd4fdd1b9
-
SHA256
91407535cc5852ecae7889b9f034920694c733c9e47f89d08a470e32b9d31e13
-
SHA512
b68c24cd100e8b9a7c3972a22b13da4b75305cc433b4a083a4762228795f257b0a769497dde755f828bd53416b0d1ba93bfd5182922ff57ff7cf16e57f5c4cb4
-
SSDEEP
6144:PYa6x92BX0wKPBAfBiyrTOfYJVL2hTRiZQd:PYj9S0RPYHrbVL2h/d
Malware Config
Extracted
formbook
4.1
sn26
resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
zachmahl.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/588-61-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/588-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2868-72-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/2868-74-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2832 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2912 Swift TT Copy pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2912 set thread context of 588 2912 Swift TT Copy pdf.exe 28 PID 588 set thread context of 1272 588 Swift TT Copy pdf.exe 12 PID 2868 set thread context of 1272 2868 help.exe 12 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 588 Swift TT Copy pdf.exe 588 Swift TT Copy pdf.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe 2868 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2912 Swift TT Copy pdf.exe 588 Swift TT Copy pdf.exe 588 Swift TT Copy pdf.exe 588 Swift TT Copy pdf.exe 2868 help.exe 2868 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 588 Swift TT Copy pdf.exe Token: SeDebugPrivilege 2868 help.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2912 wrote to memory of 588 2912 Swift TT Copy pdf.exe 28 PID 2912 wrote to memory of 588 2912 Swift TT Copy pdf.exe 28 PID 2912 wrote to memory of 588 2912 Swift TT Copy pdf.exe 28 PID 2912 wrote to memory of 588 2912 Swift TT Copy pdf.exe 28 PID 2912 wrote to memory of 588 2912 Swift TT Copy pdf.exe 28 PID 1272 wrote to memory of 2868 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2868 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2868 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2868 1272 Explorer.EXE 29 PID 2868 wrote to memory of 2832 2868 help.exe 30 PID 2868 wrote to memory of 2832 2868 help.exe 30 PID 2868 wrote to memory of 2832 2868 help.exe 30 PID 2868 wrote to memory of 2832 2868 help.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift TT Copy pdf.exe"3⤵
- Deletes itself
PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD541ddf10747e14890df75b10f8cd48a66
SHA13b819381b137ef0af1ff4d8cb21651756e8088fb
SHA25638b2ce7071de654c0b50c22fd5fa18dce6add7b17631d6f0be926520f23f5e75
SHA512b880ae952b8b104ee16475f538fdd97fddefc0015a6755b43d467b9a231c416e513f1f3c758c9e53b5c141c6bdc00f1af9d95834060a7f554587361ee24e64d6
-
Filesize
89KB
MD541ddf10747e14890df75b10f8cd48a66
SHA13b819381b137ef0af1ff4d8cb21651756e8088fb
SHA25638b2ce7071de654c0b50c22fd5fa18dce6add7b17631d6f0be926520f23f5e75
SHA512b880ae952b8b104ee16475f538fdd97fddefc0015a6755b43d467b9a231c416e513f1f3c758c9e53b5c141c6bdc00f1af9d95834060a7f554587361ee24e64d6