Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

f6723f2560...51.exe

windows7-x64

10

f6723f2560...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651.exe

  • Size

    1.0MB

  • MD5

    0de4eb1758f5ef209ed50d5728cbb729

  • SHA1

    dc50323b58a5f7a71f9c51c135e09f522aba1d26

  • SHA256

    f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651

  • SHA512

    616bac0fdbf0ae628b8c6fb1cc2608a966703dce4005ea0812b9e7102e7db2e064c2e5512b725a10b052bf0f41d91888b9dcac7d63da22e6d844488dba366286

  • SSDEEP

    24576:FAHnh+eWsN3skA4RV1Hom2KXMmHakjr3rmhkjknnL5:0h+ZkldoPK8YakvqhkjkN

Score
10/10
formbookse63ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

se63

Decoy

socratesandhisclouds.com

versioncolor.com

ytcp011.com

908511.vip

egysrvs.com

ky5682011.cc

kkuu14.icu

wavebsb.com

klikadelivery.com

jnbxbpq.com

5o8oh.us

hemule.net

techinf.xyz

bevage.club

we37h.com

tipsde.shop

48136.vip

bestcampertrailerbrands.com

fairmedics.in

quixonic.tech

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Users\Admin\AppData\Local\Temp\f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651.exe
      "C:\Users\Admin\AppData\Local\Temp\f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 704
        3⤵
        • Program crash
        PID:408
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:1988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3152 -ip 3152
      1⤵
        PID:2904

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2324-14-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2324-11-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2324-12-0x0000000001600000-0x000000000194A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2324-15-0x0000000000D30000-0x0000000000D45000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3152-10-0x00000000036D0000-0x00000000036D4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3428-25-0x00000000028A0000-0x000000000295A000-memory.dmp

        Filesize

        744KB

        Download

      • memory/3428-16-0x00000000028A0000-0x000000000295A000-memory.dmp

        Filesize

        744KB

        Download

      • memory/3428-28-0x0000000008740000-0x0000000008811000-memory.dmp

        Filesize

        836KB

        Download

      • memory/3428-29-0x0000000008740000-0x0000000008811000-memory.dmp

        Filesize

        836KB

        Download

      • memory/3428-32-0x0000000008740000-0x0000000008811000-memory.dmp

        Filesize

        836KB

        Download

      • memory/3932-17-0x0000000000630000-0x000000000076A000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3932-19-0x0000000000630000-0x000000000076A000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3932-20-0x0000000001070000-0x000000000109F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3932-21-0x0000000002F40000-0x000000000328A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3932-22-0x0000000001070000-0x000000000109F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3932-24-0x0000000002DB0000-0x0000000002E44000-memory.dmp

        Filesize

        592KB

        Download