Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
18s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
37597a431d5cc8ef90c319b77d356ff6be15ba32df42b69b36561f226236d3ee.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
37597a431d5cc8ef90c319b77d356ff6be15ba32df42b69b36561f226236d3ee.exe
Resource
win10v2004-20231222-en
General
-
Target
37597a431d5cc8ef90c319b77d356ff6be15ba32df42b69b36561f226236d3ee.exe
-
Size
795KB
-
MD5
0221dcfd786601ea3e97128ba5e23278
-
SHA1
6d768e1299b5903ead6030b32e1e6a2aed881e1a
-
SHA256
37597a431d5cc8ef90c319b77d356ff6be15ba32df42b69b36561f226236d3ee
-
SHA512
99fe04e8fb1fe1738b17bf0a149b891376dc760f613318892682da65bc5576fe6c6d2315833515f53851de2dc216bd32a7dd5c09e39e61faee28c1f647ea1cef
-
SSDEEP
12288:PNk0/uOQAWuzQ5e119/mGZ7dgWwwNBLl0xA3:Fk0/xQhSKe11HiWFNBqxA3
Malware Config
Extracted
formbook
4.1
gy14
mavbam.com
theanhedonia.com
budgetnurseries.com
buflitr.com
alqamarhotel.com
2660348.top
123bu6.shop
v72999.com
yzyz841.xyz
247fracing.com
naples.beauty
twinklethrive.com
loscaseros.com
creditspisatylegko.site
sgyy3ej2dgwesb5.com
ufocafe.net
techn9nehollywoodundead.com
truedatalab.com
alterdpxlmarketing.com
harborspringsfire.com
soulheroes.online
tryscriptify.com
collline.com
tulisanemas.com
thelectricandsolar.com
jokergiftcard.buzz
sciencemediainstitute.com
loading-231412.info
ampsportss.com
dianetion.com
169cc.xyz
zezfhys.com
smnyg.com
elenorbet327.com
whatsapp1.autos
0854n5.shop
jxscols.top
camelpmkrf.com
myxtremecleanshq.services
beautyloungebydede.online
artbydianayorktownva.com
functional-yarns.com
accepted6.com
ug19bklo.com
roelofsen.online
batuoe.com
amiciperlacoda.com
883831.com
qieqyt.xyz
vendorato.online
6733633.com
stadtliche-arbeit.info
survivordental.com
mrbmed.com
elbt-ag.com
mtdiyx.xyz
mediayoki.site
zom11.com
biosif.com
aicashu.com
inovarevending.com
8x101n.xyz
ioherstrulybeauty.com
mosaica.online
venitro.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2660-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2660-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2660-34-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2476-39-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2476-41-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3064 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2476 ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37597a431d5cc8ef90c319b77d356ff6be15ba32df42b69b36561f226236d3ee.exe"C:\Users\Admin\AppData\Local\Temp\37597a431d5cc8ef90c319b77d356ff6be15ba32df42b69b36561f226236d3ee.exe"1⤵PID:2856
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NjQlGC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5ADC.tmp"2⤵
- Creates scheduled task(s)
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2660
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NjQlGC.exe"2⤵PID:2888
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"1⤵
- Gathers network information
PID:2476 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56b77fe8fbb085fd4c2f0149ba69f1c4f
SHA1b2b30ad2d50716cfbd32fc0a6aaa2f418cea1545
SHA256f8929e9b030ced5080706440495f40657f995d28a2951cca27f32603289c16e7
SHA512b3181b7cc59fd475ec433a3122deb3448e50b8cb76eea485b69bbe33ac80106edbaf9ba9a6908d01b4bc7cbc85dbca0dc3b5efee2ec89b058ba7edaf8baba07d