Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2023, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
rProductSpecs.exe
Resource
win7-20230712-en
General
-
Target
rProductSpecs.exe
-
Size
594KB
-
MD5
05579b705197cc4ff3728af6d4d49f08
-
SHA1
89fb958792780a68990427aa3d8dfc9262c05dc1
-
SHA256
cc0f366752ad8832bf26a387da04626c8db6f00a69d5a98ce5934d0db01c1329
-
SHA512
b2bb887f3f07aa64afd7d3c6afce1532c83d380b25e0ef984ac591e3a4aac4980f18367370ddfbb0028bedc43b2ca4020f2b99fa149c75cff6e1ed7ed7b113bc
-
SSDEEP
12288:fbqwi/iWsjKX/Covqtk1Nla6KU9HTk8WjssUD1hZfxgEqD:jqwiiW9CysDOg8fh9xC
Malware Config
Extracted
formbook
4.1
hinf
gemaprojects.com
infinitymarketingsystems.com
pustmegfram.com
mydetailaccelerator.com
zeusoffyp6.click
thegoddessofthehunt.com
abajim.com
jctrhc78.com
iyouiyiti.com
jobscnwire.com
emirates-tobacco.com
onledutech.com
medicinefloor.com
lghyr.fun
dohodnaavtomate.online
fbaxqevemd7.xyz
descontode70porcento.online
assmaco.com
bb845933.site
pinapplecapital.com
jizdna.com
dogsecom.shop
immutepvec.com
ankewayglobal.com
stoaenterprises.com
vitemalls.shop
ferdisparts.com
dyqfzx202308.com
sta4mps.com
glassesupmobilebarservices.com
aspireblockchain.com
salomon-skor-sverige.com
ascenndum.com
betper781.com
onhunhboan.cfd
theedgeofzion.com
aahwwr7p.com
angelandcoinsurance.com
morningbirdschool.com
ctrccadqccpwy.com
067tt.com
zjlzhb.com
theductalcarcinomas.live
qrcodeyes.com
usefight.best
vidanomada101.com
surfmodel.top
lypap.com
findlayxfulton.com
chuanzhe.cfd
jfa-consulting.com
melosboutiquehotel.com
lphm.club
buygreenparkpadeluk.com
cfyuanh.com
verizonwirelcoess.com
national-taxs.top
wigzworld.shop
aigenniti.com
cynthia-costello.com
barbitas.com
mullancero.com
radiantpoolscfl.com
tocbe.yachts
lookmovie136.xyz
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/3024-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3024-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4684-19-0x0000000000980000-0x00000000009AF000-memory.dmp formbook behavioral2/memory/4684-21-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 448 set thread context of 3024 448 rProductSpecs.exe 90 PID 3024 set thread context of 3164 3024 rProductSpecs.exe 55 PID 4684 set thread context of 3164 4684 msdt.exe 55 -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3024 rProductSpecs.exe 3024 rProductSpecs.exe 3024 rProductSpecs.exe 3024 rProductSpecs.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe 4684 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3164 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3024 rProductSpecs.exe 3024 rProductSpecs.exe 3024 rProductSpecs.exe 4684 msdt.exe 4684 msdt.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3024 rProductSpecs.exe Token: SeDebugPrivilege 4684 msdt.exe Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE Token: SeShutdownPrivilege 3164 Explorer.EXE Token: SeCreatePagefilePrivilege 3164 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 448 wrote to memory of 3024 448 rProductSpecs.exe 90 PID 448 wrote to memory of 3024 448 rProductSpecs.exe 90 PID 448 wrote to memory of 3024 448 rProductSpecs.exe 90 PID 448 wrote to memory of 3024 448 rProductSpecs.exe 90 PID 448 wrote to memory of 3024 448 rProductSpecs.exe 90 PID 448 wrote to memory of 3024 448 rProductSpecs.exe 90 PID 3164 wrote to memory of 4684 3164 Explorer.EXE 91 PID 3164 wrote to memory of 4684 3164 Explorer.EXE 91 PID 3164 wrote to memory of 4684 3164 Explorer.EXE 91 PID 4684 wrote to memory of 3876 4684 msdt.exe 92 PID 4684 wrote to memory of 3876 4684 msdt.exe 92 PID 4684 wrote to memory of 3876 4684 msdt.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"3⤵PID:3876
-
-