Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Dekont.pdf.exe

windows7-x64

10

Dekont.pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dekont.pdf.exe

  • Size

    523KB

  • MD5

    00c530ddcfaeed76880d3813eb299fd0

  • SHA1

    1804eca4b9abfae9be3bf90575142044b6768a1f

  • SHA256

    d8d4a283c2cf6b0b3339d73021955f68d748cad0fd0646f84dbba778e682253e

  • SHA512

    3712037c8188d696570a621960e6ac077dc2fbc9bb92398df96d137635c6bc25ba54895c3a80f993ec6d3c7c7a707b9167f23b39a853591067332ff59f325d60

  • SSDEEP

    12288:94/Mb60lGYuvC6Zea5M38EHOFdnEqX3o3AgX4N6:Q0lLuK61u8ScnD0AN6

Score
10/10
formbookmh21ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh21

Decoy

qiandaye.top

zltgw.com

getxgp.link

forest-create.site

parsefilm.com

foodstore.top

reynoldsquality.com

tripleshops.com

altuwaijrifood.com

seniorassistedlivinglocator.com

essencedelanature.com

hrwv098.xyz

olkja.xyz

10685johansen.com

ajidenhp.com

sensifiedregistration.com

timetodatings.life

bizbet-review-pt.com

zhangming.asia

xn--vhq074eeozsda.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:4048
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:3408

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2692-14-0x0000000000C20000-0x0000000000C34000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2692-18-0x00000000010A0000-0x00000000010B4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2692-17-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2692-8-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2692-11-0x0000000001100000-0x000000000144A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2692-13-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3152-30-0x0000000009130000-0x000000000926A000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3152-29-0x0000000009130000-0x000000000926A000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3152-25-0x0000000008EE0000-0x000000000900F000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3152-20-0x0000000008B10000-0x0000000008C0F000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/3152-19-0x0000000008EE0000-0x000000000900F000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3152-15-0x0000000008B10000-0x0000000008C0F000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/3200-6-0x00000000050A0000-0x00000000050EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3200-3-0x0000000004EC0000-0x0000000004F20000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3200-7-0x00000000056F0000-0x0000000005C94000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3200-1-0x0000000074910000-0x00000000750C0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3200-5-0x0000000005010000-0x000000000505E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3200-4-0x0000000004FB0000-0x000000000500E000-memory.dmp

        Filesize

        376KB

        Download

      • memory/3200-0-0x0000000000670000-0x00000000006FA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/3200-2-0x0000000005090000-0x00000000050A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3200-10-0x0000000074910000-0x00000000750C0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3600-24-0x0000000002CC0000-0x000000000300A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3600-23-0x0000000000B30000-0x0000000000B5F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3600-26-0x0000000000B30000-0x0000000000B5F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3600-28-0x0000000002A00000-0x0000000002A93000-memory.dmp

        Filesize

        588KB

        Download

      • memory/3600-22-0x0000000000C50000-0x0000000000C77000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3600-21-0x0000000000C50000-0x0000000000C77000-memory.dmp

        Filesize

        156KB

        Download