Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

STATEMENT ...xs.exe

windows7-x64

10

STATEMENT ...xs.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2024, 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    STATEMENT OF ACCOUNT_xlxs.exe

  • Size

    888KB

  • MD5

    2a63c7d093ec7a63a4fabf61452e2206

  • SHA1

    501c0f22803da5b0ce77f915efac3567644c47ca

  • SHA256

    a51862c42a347c96969bb5e511b81d1beb31d50f850acf4fbf041087911c92f0

  • SHA512

    2bbfda19a986bec80b79beb33412fec220ab864ef15d3897a6e3e023e214a0fa7e0c4376d241476911ac5813571db1c07aa65aa8c00d62aaabdd668c5fe25a0f

  • SSDEEP

    12288:lRrzL0BkOhDPswBw4nP/CBx21t+TZY44s2WvbcWqOOav/qjqPaK:lJzpOLi4m0fCZsNWpOaHqDK

Score
10/10
formbookoa21persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oa21

Decoy

towinglyons.top

dunia-togel.xyz

alabnm.com

1stsole.com

uio3222d.store

little9.site

educationexperienced.com

tjautoline.com

twinzcreationzllc.com

sinsegoldenwolf.com

seeks6.studio

monetatowing.top

hqgroupiq.com

e8f4.com

mayasaccessoriesofficial.com

cribllc.us

homeremodelee.today

etl8ryc.site

danielbrennerreality.com

telcotechmelboure.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe
      "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe
        "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:448
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe"
        3⤵
          PID:4364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\fouette.ini
      Filesize

      44B

      MD5

      eb4da25d6c0d919bbe9ebc480cee0d05

      SHA1

      dfaeae9c23e9b282a82b1abb971599a5bcd51b27

      SHA256

      70a4ee88b132159f110d96ad83001187c6a272f52d5c766f563b50ac1e072fe3

      SHA512

      1e9972196d4bdbbc7366c1fc980014b3048d036f56afdeb39303263cc7af24217490dd9b9ca85ac11a0bf83a1c31eead3320e158e8b9ac819468023d1548cb5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nss4E60.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit

    • memory/448-617-0x0000000035150000-0x0000000035165000-memory.dmp

      Filesize

      84KB

      Download

    • memory/448-616-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/448-597-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/448-598-0x00000000774A8000-0x00000000774A9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/448-599-0x0000000077421000-0x0000000077541000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/448-613-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/448-615-0x0000000035390000-0x00000000356DA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3548-618-0x0000000008810000-0x000000000890F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/3548-627-0x0000000008810000-0x000000000890F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/3548-629-0x000000000A3E0000-0x000000000A54F000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3548-631-0x000000000A3E0000-0x000000000A54F000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3548-634-0x000000000A3E0000-0x000000000A54F000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4068-595-0x0000000077421000-0x0000000077541000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4068-596-0x0000000074280000-0x0000000074287000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4556-620-0x0000000000470000-0x0000000000497000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4556-621-0x0000000000470000-0x0000000000497000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4556-622-0x00000000005F0000-0x000000000061F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4556-623-0x00000000025E0000-0x000000000292A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4556-624-0x00000000005F0000-0x000000000061F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4556-626-0x0000000002930000-0x00000000029C4000-memory.dmp

      Filesize

      592KB

      Download