Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
21/09/2023, 06:12
Static task
static1
Behavioral task
behavioral1
Sample
TNT Shipping Document.exe
Resource
win7-20230831-en
General
-
Target
TNT Shipping Document.exe
-
Size
620KB
-
MD5
0593245b016a4aabdd56134224efa148
-
SHA1
62aa8ce315251c033878e82324d786dc2c2f2ec1
-
SHA256
ff87df006fb01a3f40c3eaa5f64efbb699378e096c28d4179eb5b3c023774acc
-
SHA512
f5391c70a233be9568d252e8b920cec388817c04ab3a7dfc691c3b1e68743ed46db3261eb1080053b207631cb5e45e5226443ee64b8ed8c989a334f4652e6e2a
-
SSDEEP
12288:/UZqEisUH/iA0ZTCFmTGpU3TEtxQ4CcH0R5SH9+yF05IyrsgpWVa6AJ/qn:qqEWpuCY/3T3jEd+e05IEhpF6+qn
Malware Config
Extracted
formbook
4.1
cy12
routinelywell.com
traderinformation.com
xv1lz.cfd
elfiensclinic.com
dfwtexasmilitaryagent.com
gb3p8a.com
ofcure.com
kslgd.link
apexassisthubs.com
270hg.com
spacovitta.com
mattress-info-hu-kwu.today
jakestarrbroadcast.com
modestswimwearshop.com
game0814.com
gec.tokyo
growwellnesscoaching.com
thefavoreats.com
gaasmantech.net
mloffers.net
sarahklimekrealty.com
fnykl2.com
nuomingjs.com
thewanderingbarfly.com
affiliatebrokers.cloud
yourdesignneed.com
360expantion.com
burumakansatunikki.com
hh870.bio
com-safe.site
ssongg4134.cfd
juntocrecemosalinstante.top
poorexcuses.com
stargear.top
ktobr.live
s5266m.com
paragon-cto.net
luohuigroup.com
srspicture.com
jounce.space
otrnton.top
jhaganjr.com
eshebrown.com
mc-ibit.com
rundlestreetkenttown.net
ssongg3132.cfd
thedivorcelawyer.website
ipcontrolsas.com
ungravity.dev
vigne.tattoo
modcoops.com
earthbondproperty.com
pachinko-and-slot.tokyo
pp88money.com
mysweettangrine.com
barbieinterviews.com
aimageabove.com
hamidconstruction.com
xcolpuj.xyz
xxxvedio.online
ceracasas.com
mariaelamine.com
eew.lat
pmugly.top
withscreamandsugar.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2664-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2664-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2772-25-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2772-27-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2576 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2236 set thread context of 2664 2236 TNT Shipping Document.exe 29 PID 2664 set thread context of 1268 2664 TNT Shipping Document.exe 13 PID 2772 set thread context of 1268 2772 chkdsk.exe 13 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2236 TNT Shipping Document.exe 2236 TNT Shipping Document.exe 2236 TNT Shipping Document.exe 2664 TNT Shipping Document.exe 2664 TNT Shipping Document.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe 2772 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1268 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2664 TNT Shipping Document.exe 2664 TNT Shipping Document.exe 2664 TNT Shipping Document.exe 2772 chkdsk.exe 2772 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2236 TNT Shipping Document.exe Token: SeDebugPrivilege 2664 TNT Shipping Document.exe Token: SeDebugPrivilege 2772 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2628 2236 TNT Shipping Document.exe 28 PID 2236 wrote to memory of 2628 2236 TNT Shipping Document.exe 28 PID 2236 wrote to memory of 2628 2236 TNT Shipping Document.exe 28 PID 2236 wrote to memory of 2628 2236 TNT Shipping Document.exe 28 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 2236 wrote to memory of 2664 2236 TNT Shipping Document.exe 29 PID 1268 wrote to memory of 2772 1268 Explorer.EXE 30 PID 1268 wrote to memory of 2772 1268 Explorer.EXE 30 PID 1268 wrote to memory of 2772 1268 Explorer.EXE 30 PID 1268 wrote to memory of 2772 1268 Explorer.EXE 30 PID 2772 wrote to memory of 2576 2772 chkdsk.exe 33 PID 2772 wrote to memory of 2576 2772 chkdsk.exe 33 PID 2772 wrote to memory of 2576 2772 chkdsk.exe 33 PID 2772 wrote to memory of 2576 2772 chkdsk.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"3⤵PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"3⤵
- Deletes itself
PID:2576
-
-