Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 07:34

General

  • Target

    dd674329e193ad3d072e07fe1b442340N.exe

  • Size

    741KB

  • MD5

    dd674329e193ad3d072e07fe1b442340

  • SHA1

    9064b660c5643e0104bb81f9a6a71b340f7d5f1a

  • SHA256

    8a26bda9ab6bcbd3ef5a008db1bc15e46677ab1545bd2aac4e081ea3df5077e9

  • SHA512

    a24311e04ca3604069fc0f9feb736897a8598102abba6cdc600bd502870de689cd3437d97241ad801a388d13b1c1c081e591e119fc4f31aceffa03d1af472584

  • SSDEEP

    12288:Ex5zjLf30WH0TwOqp0eXIBq2VhXpAOnTveaIEC+O22XPtJV6HAfiL8IftFuMy:gjj0ywkpr0q2vjNtC+O9XPn+A4/9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b48n

Decoy

anifestmindset.net

ommybahamabigsales.shop

3tcxr.xyz

iano-world.net

rconf23.net

atherpa.shop

trllrpartners.club

5sawit777.pro

ctbhuxcdreioijresol.top

opinatlas.app

pinstar.xyz

mfengwa.top

8games13.xyz

tickpaket.online

iphuodongallbbtbtm.top

ental-bridges-51593.bond

laywithkemon.rest

lkpiou.xyz

a88.land

igfloppafan.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe
    "C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe
      "C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1732-6-0x0000000002080000-0x00000000020F6000-memory.dmp

    Filesize

    472KB

  • memory/1732-1-0x0000000000BC0000-0x0000000000C7E000-memory.dmp

    Filesize

    760KB

  • memory/1732-2-0x0000000074510000-0x0000000074BFE000-memory.dmp

    Filesize

    6.9MB

  • memory/1732-3-0x00000000009C0000-0x00000000009D8000-memory.dmp

    Filesize

    96KB

  • memory/1732-4-0x000000007451E000-0x000000007451F000-memory.dmp

    Filesize

    4KB

  • memory/1732-5-0x0000000074510000-0x0000000074BFE000-memory.dmp

    Filesize

    6.9MB

  • memory/1732-0-0x000000007451E000-0x000000007451F000-memory.dmp

    Filesize

    4KB

  • memory/1732-13-0x0000000074510000-0x0000000074BFE000-memory.dmp

    Filesize

    6.9MB

  • memory/3004-7-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-8-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3004-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-14-0x0000000000820000-0x0000000000B23000-memory.dmp

    Filesize

    3.0MB