Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
9008654324456.exe
Resource
win7-20231020-en
General
-
Target
9008654324456.exe
-
Size
996KB
-
MD5
ef8d477861854541592ffe50ce56d3da
-
SHA1
039477a4c34bc104a4ff797288ef3d8a01900ff6
-
SHA256
c7b9dfbcf65edd98aff82ea3e1ffe6b0f83eca9c3c892de4ac8681fc1a2bb6d1
-
SHA512
5c753ab3c9f9f627d912be4d147f5285bfcabf9fcbef35d2cbf87cf7a91d7e2282ed96face2f66b8c0236f23476208c45883ea34c8cb1f878ce8ffe370837f88
-
SSDEEP
12288:qRP8sE9ARf1zb2iNkuPF337m+lLptOdn4RIdqBQ4U62yEUfrpHrAQU/RVXV0jXvE:U1l5Lm+hptOGRm62nUDpHra925VUS92
Malware Config
Extracted
formbook
4.1
ao65
spins2023.pro
foodontario.com
jsnmz.com
canwealljustagree.com
shopthedivine.store
thelakahealth.com
kuis-raja-borong.website
hbqc2.com
optimusvisionlb.com
urdulatest.com
akhayarplus.com
info-antai-service.com
kermisbedrijfkramer.online
epansion.com
gxqingmeng.top
maltsky.net
ictwath.com
sharmafootcare.com
mycheese.net
portfoliotestkitchen.com
gwhi13.cfd
fuzzybraintrivia.com
thnkotb.com
merchdojacat.com
1techtrendzstore.com
cnkclaw.net
xsslm888.com
musecheng.net
flowandfield.online
somdevista.com
baissm.top
xn--88-uqi1dtk.com
cewra.com
stellarskyline.com
mbutunerfitness.com
ssongg13916.cfd
sprockettrucking.com
boonts.cfd
oaistetic.com
enfejbazi1sjrttrsjegfwafe.click
you-can-too.com
chamdiemcchc.com
mrgdistilling.info
yptv1.com
ecofare.xyz
ouxodb001.cfd
sdymavillageculturehouse.com
carbolife.net
iokgw1.top
harmonicod.com
bbpinata.com
grfngr.design
colibriinvest.com
infossphere.space
glistenbeautylounge.com
paysprinters.online
ruhaniiyat.com
leathfortexas.com
tuesdayfolder.com
autoinsurancebound.com
scwanguan.fun
darkcreamslivki.xyz
0qtqg.com
ycth3hhtkd.asia
hivaom.top
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/3700-21-0x000000000B040000-0x000000000B06F000-memory.dmp formbook behavioral2/memory/740-40-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4700-51-0x0000000000C00000-0x0000000000C2F000-memory.dmp formbook behavioral2/memory/4700-77-0x0000000000C00000-0x0000000000C2F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation 9008654324456.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3700 set thread context of 740 3700 9008654324456.exe 99 PID 740 set thread context of 3300 740 9008654324456.exe 39 PID 4700 set thread context of 3300 4700 cscript.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3056 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1236 powershell.exe 740 9008654324456.exe 740 9008654324456.exe 740 9008654324456.exe 740 9008654324456.exe 1236 powershell.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe 4700 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3300 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 740 9008654324456.exe 740 9008654324456.exe 740 9008654324456.exe 4700 cscript.exe 4700 cscript.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 740 9008654324456.exe Token: SeDebugPrivilege 4700 cscript.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3300 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3700 wrote to memory of 1236 3700 9008654324456.exe 95 PID 3700 wrote to memory of 1236 3700 9008654324456.exe 95 PID 3700 wrote to memory of 1236 3700 9008654324456.exe 95 PID 3700 wrote to memory of 3056 3700 9008654324456.exe 97 PID 3700 wrote to memory of 3056 3700 9008654324456.exe 97 PID 3700 wrote to memory of 3056 3700 9008654324456.exe 97 PID 3700 wrote to memory of 740 3700 9008654324456.exe 99 PID 3700 wrote to memory of 740 3700 9008654324456.exe 99 PID 3700 wrote to memory of 740 3700 9008654324456.exe 99 PID 3700 wrote to memory of 740 3700 9008654324456.exe 99 PID 3700 wrote to memory of 740 3700 9008654324456.exe 99 PID 3700 wrote to memory of 740 3700 9008654324456.exe 99 PID 3300 wrote to memory of 4700 3300 Explorer.EXE 101 PID 3300 wrote to memory of 4700 3300 Explorer.EXE 101 PID 3300 wrote to memory of 4700 3300 Explorer.EXE 101 PID 4700 wrote to memory of 2128 4700 cscript.exe 103 PID 4700 wrote to memory of 2128 4700 cscript.exe 103 PID 4700 wrote to memory of 2128 4700 cscript.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JezkAm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JezkAm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5157.tmp"3⤵
- Creates scheduled task(s)
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2188
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\9008654324456.exe"3⤵PID:2128
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD58dbc47892f9cec3173a2a7c348eda8fd
SHA1c9189389a59119106a350600e5dd2131b1246971
SHA2569dcfdf4bd31e10ffd9a5423faf7e98e404090ef562eb62e44afdf64fd7d3dc60
SHA512ff10d9d3c2c631239ee52a18b74dd1f7f54059bb663b904efdb2639ed265c9937e48a6ce4110818f80a237396151d84b3257342d5be73a878fad637cf4cc7958