Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

bcc5a9772d...38.exe

windows7-x64

10

bcc5a9772d...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe

  • Size

    1.0MB

  • MD5

    6eb32cf2b1d4a3b38ef372e6c1d76b04

  • SHA1

    d72628520b0978a1b1be32f975676858c3d3476c

  • SHA256

    bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38

  • SHA512

    7e655a1ff81c24052a877ebd116e159a0c1bc79bb05e5b6823ba83c6c269a1a970a98babecd226fe8ffcc16d8bce8da1a56f6730153a695eed5e6b785c5eb4d3

  • SSDEEP

    24576:wAHnh+eWsN3skA4RV1Hom2KXMmHa2XbblkxUHjtcyd5:nh+ZkldoPK8Ya2XbblkCHjtc8

Score
10/10
formbookss63ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ss63

Decoy

catpig.xyz

chatladyanzensei7.site

onewayonepaydroptaxi.com

bima188.lol

wealth-km.online

seepao27200.top

6c958u9.lol

fbyu57ytsd.shop

baranetentegre.com

webaichimie.com

h3k38q2.lol

abicomsrl.com

338kp.vip

rescuecube.com

bubatz-t.com

psgluxuryapartments.com

goodfellowlawfirm.com

bais141.com

imingchu.com

ekzeanjfolzaks.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe
      "C:\Users\Admin\AppData\Local\Temp\bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 692
        3⤵
        • Program crash
        PID:1616
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:4680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1180 -ip 1180
      1⤵
        PID:1552

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1180-10-0x0000000000B70000-0x0000000000B74000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1468-17-0x0000000000DA0000-0x0000000000DAB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1468-19-0x0000000000720000-0x000000000074F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1468-18-0x0000000000DA0000-0x0000000000DAB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3344-14-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3344-15-0x0000000000DB0000-0x0000000000DC5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3344-12-0x0000000001800000-0x0000000001B4A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3344-11-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3556-16-0x00000000086B0000-0x00000000087EF000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3556-21-0x00000000086B0000-0x00000000087EF000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3556-24-0x000000000A570000-0x000000000A686000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3556-25-0x000000000A570000-0x000000000A686000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3556-28-0x000000000A570000-0x000000000A686000-memory.dmp

        Filesize

        1.1MB

        Download