Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 16:28
Static task
static1
Behavioral task
behavioral1
Sample
2d1fe64c314f6b90c003dec415e38bae.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2d1fe64c314f6b90c003dec415e38bae.exe
Resource
win10v2004-20231215-en
General
-
Target
2d1fe64c314f6b90c003dec415e38bae.exe
-
Size
387KB
-
MD5
2d1fe64c314f6b90c003dec415e38bae
-
SHA1
80c946d29034713715e6d4a763691f693bf28cb1
-
SHA256
4f869d72a2b869b7dc8d5d39924b8b714c9d3776a37f67d56f8f93728e645957
-
SHA512
854fa749d09e128629aa3f60986be24a93523ee3ee4357222ac7d014f81906d9cd1f0c6a4f529022a1eab665b4a0b2e2f87b23ae1a5b5632899a6e3768d60941
-
SSDEEP
12288:UfSNDGoVZvUiJc4ymIlm2mgChpHRNe1rl8o9SgE:31xJc41IU2mfhpxNSlNUN
Malware Config
Extracted
formbook
4.1
lt0h
originalindigofurniture.co.uk
fl6588.com
acecademy.com
yaerofinerindalnalising.com
mendilovic.online
rishenght.com
famlees.com
myhomeofficemarket.com
bouquetarabia.com
chrisbani.com
freebandslegally.com
hernandezinsurancegroup.net
slicedandfresh.com
apnathikanas.com
chadhatesyou.com
ansilsas.com
in3development.com
nitiren.net
peespn.com
valengz.com
theseakelpcompany.com
tlcrentny.com
sancakcraft.com
kamenb.com
samanthajobenson.com
alphagearz.com
sprins.net
adestramentos.com
civoconstruction.com
masrmasr.com
jagrit.codes
zusammenurlaub.com
mssjqs.com
ic695niu001.com
anelimplus.com
mutlob.com
beyondmickey.net
sliever.club
perfumefashion.icu
massimilianogiannocco.com
dentoncountyattorneys.media
filigreefilly.com
mooremgmtandcompany.com
smpdj.com
stainlesspropmgmt.com
creativecollectivecommunity.com
dmdrogist.com
spokenandheardpodcast.com
garenbid.com
bestcomandcalls.space
tairunshihua.com
nemski-projekt.com
6mum.com
portlandhemorrhoidcenter.com
platinumforsale.net
driven.plus
ontheedgeoutdoorshunting.com
manatapmasalalu.com
idscustomprinting.com
safepassagereform.com
fairop.xyz
natetacticz.com
etoys-sucks.com
rhinolabs.net
bulverderoofing.com
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/1932-3-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2356 set thread context of 1932 2356 2d1fe64c314f6b90c003dec415e38bae.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1932 2d1fe64c314f6b90c003dec415e38bae.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2356 2d1fe64c314f6b90c003dec415e38bae.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1932 2356 2d1fe64c314f6b90c003dec415e38bae.exe 28 PID 2356 wrote to memory of 1932 2356 2d1fe64c314f6b90c003dec415e38bae.exe 28 PID 2356 wrote to memory of 1932 2356 2d1fe64c314f6b90c003dec415e38bae.exe 28 PID 2356 wrote to memory of 1932 2356 2d1fe64c314f6b90c003dec415e38bae.exe 28 PID 2356 wrote to memory of 1932 2356 2d1fe64c314f6b90c003dec415e38bae.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe"C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe"C:\Users\Admin\AppData\Local\Temp\2d1fe64c314f6b90c003dec415e38bae.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932
-