Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEW ORDER.exe

windows7-x64

10

NEW ORDER.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW ORDER.exe

  • Size

    763KB

  • MD5

    9df58df76c5826af2a9357287869e0f7

  • SHA1

    c2d804fdeefc82563b51c04870b49cc998588712

  • SHA256

    6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

  • SHA512

    2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494

  • SSDEEP

    12288:eQDFTPiULBMzvlKXj3Z+ka1XmrpVMSTUplRYgK+CVINEX9yKBg7vjG:HPh2NKXj8tVmpmGUpXYfia9yKe/

Score
10/10
formbookij84ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 15
          4⤵
          • Runs ping.exe
          PID:644
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 15
          4⤵
          • Runs ping.exe
          PID:2552
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4784
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2752
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1216
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:3236
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:4588
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:2604
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:4852
              • C:\Windows\SysWOW64\help.exe
                "C:\Windows\SysWOW64\help.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4512
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  3⤵
                    PID:2896

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe
                Filesize

                763KB

                MD5

                9df58df76c5826af2a9357287869e0f7

                SHA1

                c2d804fdeefc82563b51c04870b49cc998588712

                SHA256

                6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

                SHA512

                2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494

                Download Submit

              • memory/2752-35-0x0000000000400000-0x000000000042F000-memory.dmp

                Filesize

                188KB

                Download

              • memory/2752-31-0x0000000001310000-0x0000000001324000-memory.dmp

                Filesize

                80KB

                Download

              • memory/2752-30-0x0000000000400000-0x000000000042F000-memory.dmp

                Filesize

                188KB

                Download

              • memory/2752-28-0x0000000000FC0000-0x000000000130A000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2752-25-0x0000000000400000-0x000000000042F000-memory.dmp

                Filesize

                188KB

                Download

              • memory/3556-40-0x0000000008A90000-0x0000000008BE4000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3556-38-0x00000000088A0000-0x0000000008978000-memory.dmp

                Filesize

                864KB

                Download

              • memory/3556-32-0x00000000088A0000-0x0000000008978000-memory.dmp

                Filesize

                864KB

                Download

              • memory/4392-7-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4392-0-0x000000007440E000-0x000000007440F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4392-1-0x0000000000200000-0x00000000002C6000-memory.dmp

                Filesize

                792KB

                Download

              • memory/4392-2-0x00000000057A0000-0x000000000583C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/4392-11-0x0000000074400000-0x0000000074BB0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4392-3-0x0000000005E60000-0x0000000006404000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4392-4-0x0000000005B30000-0x0000000005B74000-memory.dmp

                Filesize

                272KB

                Download

              • memory/4392-5-0x0000000074400000-0x0000000074BB0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4392-9-0x0000000074400000-0x0000000074BB0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4392-6-0x0000000005C30000-0x0000000005CC2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4512-36-0x0000000000E30000-0x0000000000E5F000-memory.dmp

                Filesize

                188KB

                Download

              • memory/4512-34-0x0000000000660000-0x0000000000667000-memory.dmp

                Filesize

                28KB

                Download

              • memory/4784-21-0x00000000070F0000-0x000000000710A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4784-27-0x00000000743D0000-0x0000000074B80000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4784-24-0x00000000743D0000-0x0000000074B80000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4784-23-0x00000000743D0000-0x0000000074B80000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4784-22-0x0000000009AB0000-0x0000000009AB6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4784-20-0x00000000743D0000-0x0000000074B80000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4784-19-0x00000000743D0000-0x0000000074B80000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4784-18-0x0000000000AC0000-0x0000000000B86000-memory.dmp

                Filesize

                792KB

                Download

              • memory/4784-17-0x00000000743D0000-0x0000000074B80000-memory.dmp

                Filesize

                7.7MB

                Download