Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 16:28

General

  • Target

    2d1fe64c314f6b90c003dec415e38bae.exe

  • Size

    387KB

  • MD5

    2d1fe64c314f6b90c003dec415e38bae

  • SHA1

    80c946d29034713715e6d4a763691f693bf28cb1

  • SHA256

    4f869d72a2b869b7dc8d5d39924b8b714c9d3776a37f67d56f8f93728e645957

  • SHA512

    854fa749d09e128629aa3f60986be24a93523ee3ee4357222ac7d014f81906d9cd1f0c6a4f529022a1eab665b4a0b2e2f87b23ae1a5b5632899a6e3768d60941

  • SSDEEP

    12288:UfSNDGoVZvUiJc4ymIlm2mgChpHRNe1rl8o9SgE:31xJc41IU2mfhpxNSlNUN

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lt0h

Decoy

originalindigofurniture.co.uk

fl6588.com

acecademy.com

yaerofinerindalnalising.com

mendilovic.online

rishenght.com

famlees.com

myhomeofficemarket.com

bouquetarabia.com

chrisbani.com

freebandslegally.com

hernandezinsurancegroup.net

slicedandfresh.com

apnathikanas.com

chadhatesyou.com

ansilsas.com

in3development.com

nitiren.net

peespn.com

valengz.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe
    "C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe
      "C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1932-3-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1932-5-0x00000000008B0000-0x0000000000BB3000-memory.dmp

    Filesize

    3.0MB

  • memory/2356-2-0x0000000000290000-0x0000000000292000-memory.dmp

    Filesize

    8KB

  • memory/2356-1-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB