Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.pdf.exe
Resource
win7-20230831-en
General
-
Target
Dekont.pdf.exe
-
Size
523KB
-
MD5
00c530ddcfaeed76880d3813eb299fd0
-
SHA1
1804eca4b9abfae9be3bf90575142044b6768a1f
-
SHA256
d8d4a283c2cf6b0b3339d73021955f68d748cad0fd0646f84dbba778e682253e
-
SHA512
3712037c8188d696570a621960e6ac077dc2fbc9bb92398df96d137635c6bc25ba54895c3a80f993ec6d3c7c7a707b9167f23b39a853591067332ff59f325d60
-
SSDEEP
12288:94/Mb60lGYuvC6Zea5M38EHOFdnEqX3o3AgX4N6:Q0lLuK61u8ScnD0AN6
Malware Config
Extracted
formbook
4.1
mh21
qiandaye.top
zltgw.com
getxgp.link
forest-create.site
parsefilm.com
foodstore.top
reynoldsquality.com
tripleshops.com
altuwaijrifood.com
seniorassistedlivinglocator.com
essencedelanature.com
hrwv098.xyz
olkja.xyz
10685johansen.com
ajidenhp.com
sensifiedregistration.com
timetodatings.life
bizbet-review-pt.com
zhangming.asia
xn--vhq074eeozsda.top
rygodigital.site
cellphonespoland.today
dentsfirst.com
envrliteracyprojectia.online
friendsislove.com
g1t1v5am.top
naturo-construction.com
jstzzlm.com
cukservers.net
serofix.com
afhpj.com
westnewburyopenspace.net
copperstatenotary.com
rw6dh.top
5812harold.com
zzfd.shop
webmarketingrocket.com
bcdwg.com
amotcabo.com
accountswallet.com
itechsarl.net
wakuy.app
mmacpdrm.click
2d8t36nfmh.skin
kimberlys-portfolio.com
iran-protests.com
bodhiheals.com
mkamiart.com
cuprolifestyle.com
smartpartproducts.com
7300-banking.pro
dinheirofacil.digital
fednowdigitalpayment.com
hokkoriidol.com
agapehomecleaning.com
iicaqjls.click
53dorethyrd.com
indepqueretaro.com
fsjixrkh83o.cyou
seomasteraff.net
dbwci.com
simplebly.store
calicarmovers.com
opleermandmand.com
xpcslda.com
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2224-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2224-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2128 set thread context of 2224 2128 Dekont.pdf.exe 28 PID 2224 set thread context of 1288 2224 aspnet_compiler.exe 13 -
Program crash 1 IoCs
pid pid_target Process procid_target 2664 2476 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2224 aspnet_compiler.exe 2224 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2224 aspnet_compiler.exe 2224 aspnet_compiler.exe 2224 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2224 aspnet_compiler.exe Token: SeShutdownPrivilege 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 2128 wrote to memory of 2224 2128 Dekont.pdf.exe 28 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 1288 wrote to memory of 2476 1288 Explorer.EXE 29 PID 2476 wrote to memory of 2664 2476 msiexec.exe 30 PID 2476 wrote to memory of 2664 2476 msiexec.exe 30 PID 2476 wrote to memory of 2664 2476 msiexec.exe 30 PID 2476 wrote to memory of 2664 2476 msiexec.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 2723⤵
- Program crash
PID:2664
-
-