Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
9008654324456.exe
Resource
win7-20231020-en
General
-
Target
9008654324456.exe
-
Size
996KB
-
MD5
ef8d477861854541592ffe50ce56d3da
-
SHA1
039477a4c34bc104a4ff797288ef3d8a01900ff6
-
SHA256
c7b9dfbcf65edd98aff82ea3e1ffe6b0f83eca9c3c892de4ac8681fc1a2bb6d1
-
SHA512
5c753ab3c9f9f627d912be4d147f5285bfcabf9fcbef35d2cbf87cf7a91d7e2282ed96face2f66b8c0236f23476208c45883ea34c8cb1f878ce8ffe370837f88
-
SSDEEP
12288:qRP8sE9ARf1zb2iNkuPF337m+lLptOdn4RIdqBQ4U62yEUfrpHrAQU/RVXV0jXvE:U1l5Lm+hptOGRm62nUDpHra925VUS92
Malware Config
Extracted
formbook
4.1
ao65
spins2023.pro
foodontario.com
jsnmz.com
canwealljustagree.com
shopthedivine.store
thelakahealth.com
kuis-raja-borong.website
hbqc2.com
optimusvisionlb.com
urdulatest.com
akhayarplus.com
info-antai-service.com
kermisbedrijfkramer.online
epansion.com
gxqingmeng.top
maltsky.net
ictwath.com
sharmafootcare.com
mycheese.net
portfoliotestkitchen.com
gwhi13.cfd
fuzzybraintrivia.com
thnkotb.com
merchdojacat.com
1techtrendzstore.com
cnkclaw.net
xsslm888.com
musecheng.net
flowandfield.online
somdevista.com
baissm.top
xn--88-uqi1dtk.com
cewra.com
stellarskyline.com
mbutunerfitness.com
ssongg13916.cfd
sprockettrucking.com
boonts.cfd
oaistetic.com
enfejbazi1sjrttrsjegfwafe.click
you-can-too.com
chamdiemcchc.com
mrgdistilling.info
yptv1.com
ecofare.xyz
ouxodb001.cfd
sdymavillageculturehouse.com
carbolife.net
iokgw1.top
harmonicod.com
bbpinata.com
grfngr.design
colibriinvest.com
infossphere.space
glistenbeautylounge.com
paysprinters.online
ruhaniiyat.com
leathfortexas.com
tuesdayfolder.com
autoinsurancebound.com
scwanguan.fun
darkcreamslivki.xyz
0qtqg.com
ycth3hhtkd.asia
hivaom.top
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/1860-15-0x0000000004CD0000-0x0000000004CFF000-memory.dmp formbook behavioral1/memory/2860-19-0x00000000024D0000-0x0000000002510000-memory.dmp formbook -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 1860 9008654324456.exe 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1860 9008654324456.exe Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2860 1860 9008654324456.exe 30 PID 1860 wrote to memory of 2860 1860 9008654324456.exe 30 PID 1860 wrote to memory of 2860 1860 9008654324456.exe 30 PID 1860 wrote to memory of 2860 1860 9008654324456.exe 30 PID 1860 wrote to memory of 3012 1860 9008654324456.exe 32 PID 1860 wrote to memory of 3012 1860 9008654324456.exe 32 PID 1860 wrote to memory of 3012 1860 9008654324456.exe 32 PID 1860 wrote to memory of 3012 1860 9008654324456.exe 32 PID 1860 wrote to memory of 388 1860 9008654324456.exe 34 PID 1860 wrote to memory of 388 1860 9008654324456.exe 34 PID 1860 wrote to memory of 388 1860 9008654324456.exe 34 PID 1860 wrote to memory of 388 1860 9008654324456.exe 34 PID 1860 wrote to memory of 1224 1860 9008654324456.exe 35 PID 1860 wrote to memory of 1224 1860 9008654324456.exe 35 PID 1860 wrote to memory of 1224 1860 9008654324456.exe 35 PID 1860 wrote to memory of 1224 1860 9008654324456.exe 35 PID 1860 wrote to memory of 1236 1860 9008654324456.exe 36 PID 1860 wrote to memory of 1236 1860 9008654324456.exe 36 PID 1860 wrote to memory of 1236 1860 9008654324456.exe 36 PID 1860 wrote to memory of 1236 1860 9008654324456.exe 36 PID 1860 wrote to memory of 2868 1860 9008654324456.exe 37 PID 1860 wrote to memory of 2868 1860 9008654324456.exe 37 PID 1860 wrote to memory of 2868 1860 9008654324456.exe 37 PID 1860 wrote to memory of 2868 1860 9008654324456.exe 37 PID 1860 wrote to memory of 2416 1860 9008654324456.exe 38 PID 1860 wrote to memory of 2416 1860 9008654324456.exe 38 PID 1860 wrote to memory of 2416 1860 9008654324456.exe 38 PID 1860 wrote to memory of 2416 1860 9008654324456.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JezkAm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JezkAm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4EA.tmp"2⤵
- Creates scheduled task(s)
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"2⤵PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"2⤵PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"2⤵PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"2⤵PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"2⤵PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb86a405d3250b7ef2d1ce7590f5469
SHA1f61c4d7252947c14b41e0d26bce5a19358648611
SHA25682e8a67751ab80ffad61221b4ab11a2be104c3e202e1447a30cdfe194dab9b8d
SHA5128de33832405b60a2037dd308f20d45423d6cb7c37c945d68facee8ec432f00861e956c6cc4e7efc8e0e14718be7f1fe14eeb79b1b38211aa0ae875d3c1a4cea0