Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    327KB

  • MD5

    7ff646fbaa5bb955d1b0cfaffaf61cb2

  • SHA1

    91f6d86cc0cb5ef9860752d10315ce65a6b6fb3c

  • SHA256

    ecd04804617988e39d5f075e021f6403a33b688ef388f75b897e4c4f7e21e466

  • SHA512

    99a6eac16659c579f4a4176861148d3c2c56099eec95f3e1dd4d0ff18e7f87e8db792f3b5c03b16f9d62c5fd16e9f6e37ed79bb4a4bf63d3b286a1aeb5702eb9

  • SSDEEP

    6144:vYa6iwngrjoJm3rXSpywnBRwA6QfGO4LiC6aAV4Fii6RhUCpOMLILE6cv3ciy:vY0CgrcM7XSpfBRCQe9ujRRlTOEZ4

Score
10/10
formbooksy22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
        "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:100
        • C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
          "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2600
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
        3⤵
          PID:2812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
      Filesize

      194KB

      MD5

      eab8e6995213ca81ec2579ae8454d658

      SHA1

      990ca146cdc55c347f20325f61d0a579c59cd175

      SHA256

      c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

      SHA512

      c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
      Filesize

      194KB

      MD5

      eab8e6995213ca81ec2579ae8454d658

      SHA1

      990ca146cdc55c347f20325f61d0a579c59cd175

      SHA256

      c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

      SHA512

      c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
      Filesize

      194KB

      MD5

      eab8e6995213ca81ec2579ae8454d658

      SHA1

      990ca146cdc55c347f20325f61d0a579c59cd175

      SHA256

      c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

      SHA512

      c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cqrse.ily
      Filesize

      205KB

      MD5

      a453cea43f21db1509d89404630b842d

      SHA1

      2c97d2e24d9c6464666ddee5063fac4978f0524c

      SHA256

      f729f6645338d7e33cdc873d1c3e4b9b5d8e76c677b29f2a75aa4a865d78c86a

      SHA512

      bcdfe0fd6080e3167fb3d597829b25a9a257280ab620f19160cae76851749ed53aea4ef6211d0d5563fed2ff98a0d3513e9489caedf42aff21aa7b0a4c220a46

      Download Submit

    • memory/100-5-0x0000000001290000-0x0000000001292000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2600-7-0x0000000000740000-0x000000000076F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2600-12-0x0000000000D30000-0x000000000107A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2600-13-0x0000000000740000-0x000000000076F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2600-14-0x0000000001240000-0x0000000001254000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2884-16-0x0000000000DD0000-0x0000000000DF7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2884-17-0x0000000000DD0000-0x0000000000DF7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2884-18-0x0000000001220000-0x000000000124F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2884-19-0x0000000003220000-0x000000000356A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2884-20-0x0000000001220000-0x000000000124F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2884-23-0x00000000030C0000-0x0000000003153000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3168-15-0x0000000009530000-0x00000000096A2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3168-21-0x0000000009530000-0x00000000096A2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3168-24-0x00000000096B0000-0x00000000097E8000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3168-25-0x00000000096B0000-0x00000000097E8000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3168-27-0x00000000096B0000-0x00000000097E8000-memory.dmp

      Filesize

      1.2MB

      Download