Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 07:34 UTC

General

  • Target

    dd674329e193ad3d072e07fe1b442340N.exe

  • Size

    741KB

  • MD5

    dd674329e193ad3d072e07fe1b442340

  • SHA1

    9064b660c5643e0104bb81f9a6a71b340f7d5f1a

  • SHA256

    8a26bda9ab6bcbd3ef5a008db1bc15e46677ab1545bd2aac4e081ea3df5077e9

  • SHA512

    a24311e04ca3604069fc0f9feb736897a8598102abba6cdc600bd502870de689cd3437d97241ad801a388d13b1c1c081e591e119fc4f31aceffa03d1af472584

  • SSDEEP

    12288:Ex5zjLf30WH0TwOqp0eXIBq2VhXpAOnTveaIEC+O22XPtJV6HAfiL8IftFuMy:gjj0ywkpr0q2vjNtC+O9XPn+A4/9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b48n

Decoy

anifestmindset.net

ommybahamabigsales.shop

3tcxr.xyz

iano-world.net

rconf23.net

atherpa.shop

trllrpartners.club

5sawit777.pro

ctbhuxcdreioijresol.top

opinatlas.app

pinstar.xyz

mfengwa.top

8games13.xyz

tickpaket.online

iphuodongallbbtbtm.top

ental-bridges-51593.bond

laywithkemon.rest

lkpiou.xyz

a88.land

igfloppafan.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe
    "C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe
      "C:\Users\Admin\AppData\Local\Temp\dd674329e193ad3d072e07fe1b442340N.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1732-6-0x0000000002080000-0x00000000020F6000-memory.dmp

    Filesize

    472KB

  • memory/1732-1-0x0000000000BC0000-0x0000000000C7E000-memory.dmp

    Filesize

    760KB

  • memory/1732-2-0x0000000074510000-0x0000000074BFE000-memory.dmp

    Filesize

    6.9MB

  • memory/1732-3-0x00000000009C0000-0x00000000009D8000-memory.dmp

    Filesize

    96KB

  • memory/1732-4-0x000000007451E000-0x000000007451F000-memory.dmp

    Filesize

    4KB

  • memory/1732-5-0x0000000074510000-0x0000000074BFE000-memory.dmp

    Filesize

    6.9MB

  • memory/1732-0-0x000000007451E000-0x000000007451F000-memory.dmp

    Filesize

    4KB

  • memory/1732-13-0x0000000074510000-0x0000000074BFE000-memory.dmp

    Filesize

    6.9MB

  • memory/3004-7-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-8-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3004-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-14-0x0000000000820000-0x0000000000B23000-memory.dmp

    Filesize

    3.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.