Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe
Resource
win7-20240221-en
General
-
Target
bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe
-
Size
1.0MB
-
MD5
6eb32cf2b1d4a3b38ef372e6c1d76b04
-
SHA1
d72628520b0978a1b1be32f975676858c3d3476c
-
SHA256
bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38
-
SHA512
7e655a1ff81c24052a877ebd116e159a0c1bc79bb05e5b6823ba83c6c269a1a970a98babecd226fe8ffcc16d8bce8da1a56f6730153a695eed5e6b785c5eb4d3
-
SSDEEP
24576:wAHnh+eWsN3skA4RV1Hom2KXMmHa2XbblkxUHjtcyd5:nh+ZkldoPK8Ya2XbblkCHjtc8
Malware Config
Extracted
formbook
4.1
ss63
catpig.xyz
chatladyanzensei7.site
onewayonepaydroptaxi.com
bima188.lol
wealth-km.online
seepao27200.top
6c958u9.lol
fbyu57ytsd.shop
baranetentegre.com
webaichimie.com
h3k38q2.lol
abicomsrl.com
338kp.vip
rescuecube.com
bubatz-t.com
psgluxuryapartments.com
goodfellowlawfirm.com
bais141.com
imingchu.com
ekzeanjfolzaks.top
hanweixn.com
getwalkapp.com
pharm-resources.com
montessorigpt.com
novaprivatecare.com
3656444.com
h61u4oxx4sraqjm.buzz
vak888.life
q43n.top
sushiommen.com
wvinsiders.com
emran-tahhan.com
manipulatedalgorithms.com
presentiei.shop
juntospelors.com
j0a6doy1x8eyx.com
yexoiup.xyz
bricoarq.com
hnxymaritime.com
selllocaljet.com
h5left513.xyz
65yty.com
everymgs01.com
barbaraht.com
mx5cucs.xyz
checkscamsv.com
smpn1madangsuku2.store
mixefy.shop
gacordewa288.life
srisaiprintpack.com
gasdepo168.com
etancheite-ajaccio.com
slow-man.com
thewhitehorsepub.biz
bay6studio.com
djhtshrtshgrg.lol
xcxocez.shop
games.broker
nudkiss.com
ccconnectglobal.com
wifmilio.com
dpuntada.com
ads8562.shop
diferenciaes.com
fashionchc.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/3344-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3344-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1468-19-0x0000000000720000-0x000000000074F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1180 set thread context of 3344 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 83 PID 3344 set thread context of 3556 3344 svchost.exe 56 PID 1468 set thread context of 3556 1468 NETSTAT.EXE 56 -
Program crash 1 IoCs
pid pid_target Process procid_target 1616 1180 WerFault.exe 82 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1468 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3344 svchost.exe 3344 svchost.exe 3344 svchost.exe 3344 svchost.exe 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE 1468 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 3344 svchost.exe 3344 svchost.exe 3344 svchost.exe 1468 NETSTAT.EXE 1468 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3344 svchost.exe Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeShutdownPrivilege 3556 Explorer.EXE Token: SeCreatePagefilePrivilege 3556 Explorer.EXE Token: SeDebugPrivilege 1468 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3556 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1180 wrote to memory of 3344 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 83 PID 1180 wrote to memory of 3344 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 83 PID 1180 wrote to memory of 3344 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 83 PID 1180 wrote to memory of 3344 1180 bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe 83 PID 3556 wrote to memory of 1468 3556 Explorer.EXE 88 PID 3556 wrote to memory of 1468 3556 Explorer.EXE 88 PID 3556 wrote to memory of 1468 3556 Explorer.EXE 88 PID 1468 wrote to memory of 4680 1468 NETSTAT.EXE 94 PID 1468 wrote to memory of 4680 1468 NETSTAT.EXE 94 PID 1468 wrote to memory of 4680 1468 NETSTAT.EXE 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe"C:\Users\Admin\AppData\Local\Temp\bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\bcc5a9772d5c0d2a0db971eff31f5a0e6feccdd6cb8defccbea6f00b5967cf38.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 6923⤵
- Program crash
PID:1616
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:4680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1180 -ip 11801⤵PID:1552