Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.pdf.exe
Resource
win7-20230831-en
General
-
Target
Dekont.pdf.exe
-
Size
523KB
-
MD5
00c530ddcfaeed76880d3813eb299fd0
-
SHA1
1804eca4b9abfae9be3bf90575142044b6768a1f
-
SHA256
d8d4a283c2cf6b0b3339d73021955f68d748cad0fd0646f84dbba778e682253e
-
SHA512
3712037c8188d696570a621960e6ac077dc2fbc9bb92398df96d137635c6bc25ba54895c3a80f993ec6d3c7c7a707b9167f23b39a853591067332ff59f325d60
-
SSDEEP
12288:94/Mb60lGYuvC6Zea5M38EHOFdnEqX3o3AgX4N6:Q0lLuK61u8ScnD0AN6
Malware Config
Extracted
formbook
4.1
mh21
qiandaye.top
zltgw.com
getxgp.link
forest-create.site
parsefilm.com
foodstore.top
reynoldsquality.com
tripleshops.com
altuwaijrifood.com
seniorassistedlivinglocator.com
essencedelanature.com
hrwv098.xyz
olkja.xyz
10685johansen.com
ajidenhp.com
sensifiedregistration.com
timetodatings.life
bizbet-review-pt.com
zhangming.asia
xn--vhq074eeozsda.top
rygodigital.site
cellphonespoland.today
dentsfirst.com
envrliteracyprojectia.online
friendsislove.com
g1t1v5am.top
naturo-construction.com
jstzzlm.com
cukservers.net
serofix.com
afhpj.com
westnewburyopenspace.net
copperstatenotary.com
rw6dh.top
5812harold.com
zzfd.shop
webmarketingrocket.com
bcdwg.com
amotcabo.com
accountswallet.com
itechsarl.net
wakuy.app
mmacpdrm.click
2d8t36nfmh.skin
kimberlys-portfolio.com
iran-protests.com
bodhiheals.com
mkamiart.com
cuprolifestyle.com
smartpartproducts.com
7300-banking.pro
dinheirofacil.digital
fednowdigitalpayment.com
hokkoriidol.com
agapehomecleaning.com
iicaqjls.click
53dorethyrd.com
indepqueretaro.com
fsjixrkh83o.cyou
seomasteraff.net
dbwci.com
simplebly.store
calicarmovers.com
opleermandmand.com
xpcslda.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral2/memory/2692-8-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2692-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2692-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3600-23-0x0000000000B30000-0x0000000000B5F000-memory.dmp formbook behavioral2/memory/3600-26-0x0000000000B30000-0x0000000000B5F000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3200 set thread context of 2692 3200 Dekont.pdf.exe 89 PID 2692 set thread context of 3152 2692 aspnet_compiler.exe 51 PID 2692 set thread context of 3152 2692 aspnet_compiler.exe 51 PID 3600 set thread context of 3152 3600 wscript.exe 51 -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe 3600 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 2692 aspnet_compiler.exe 3600 wscript.exe 3600 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2692 aspnet_compiler.exe Token: SeDebugPrivilege 3600 wscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3200 wrote to memory of 2692 3200 Dekont.pdf.exe 89 PID 3200 wrote to memory of 2692 3200 Dekont.pdf.exe 89 PID 3200 wrote to memory of 2692 3200 Dekont.pdf.exe 89 PID 3200 wrote to memory of 2692 3200 Dekont.pdf.exe 89 PID 3200 wrote to memory of 2692 3200 Dekont.pdf.exe 89 PID 3200 wrote to memory of 2692 3200 Dekont.pdf.exe 89 PID 3152 wrote to memory of 3600 3152 Explorer.EXE 92 PID 3152 wrote to memory of 3600 3152 Explorer.EXE 92 PID 3152 wrote to memory of 3600 3152 Explorer.EXE 92 PID 3600 wrote to memory of 3408 3600 wscript.exe 93 PID 3600 wrote to memory of 3408 3600 wscript.exe 93 PID 3600 wrote to memory of 3408 3600 wscript.exe 93
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:4048
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:3408
-
-