Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 10:16
Behavioral task
behavioral1
Sample
RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe
Resource
win7-20240903-en
General
-
Target
RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe
-
Size
959KB
-
MD5
a4be50bb39110e49c1d2fc87ccc12f56
-
SHA1
ffc4874f95b0c774ad54988350128eadfaeebc23
-
SHA256
b967a8b7765a762514d4b8d172fabb655af83d7279fd15cd513e217675ce96a9
-
SHA512
241476b5ab26dc7a8673daca8cb6b76b46b9e87092e09e7db643368b8514d439e1bf502a42b9f6b082ce2fc92c3ca2141bd34e8068bc77820c06d4892242f575
-
SSDEEP
24576:hiUmSB/o5d1ubcvLiUlytyo/bfUbycmjNlscnVDO8TR+KDV:h/mU/ohubcvhMXQb6kcROgIKD
Malware Config
Extracted
formbook
4.1
bs26
bhkflatforsale.today
89486.cyou
asstortlawsuit-26.today
935fkg.top
lanetaryadventure.website
5-77.xyz
yankosensei.top
esasi.boats
ortasmundial.online
gfo.net
mhgriu.xyz
440.top
52zh366hq.bond
arage-door-tab.fun
heriffburns.info
ndogamingslot.club
lrinstlusa.today
ssdefdhet.fun
dbg.net
ome-remodeling-82737.bond
sychology-degree-49198.bond
eon-zerkalo-obd1.buzz
46sj488ux.bond
138hoki.yachts
ircuit-board-assembler-us.bond
raphic-design-degree-98455.bond
erherseershjrre.buzz
ekabit.online
impemos.cyou
otgoingback24.net
ust.digital
lsheikh.click
mail-marketing-57276.bond
hampion-casino-fhy.buzz
irtyf-ingrancher.info
ustomaglow.xyz
efloristika.online
djinni.buzz
egaplex.dev
oundroutdoors.club
aco.lol
reme.delivery
oursocialclub.xyz
ffertop.online
dinfotech.info
ydzndy.biz
og-walker-jobs-62009.bond
verybodyeats.services
earchgpt.homes
njoei.click
yler-paaac.buzz
mni-streak.net
aaldemo.click
rectionpower.online
sian.lol
belivedi.cfd
d516249.online
nfluencer-marketing-89430.bond
ransportationmqmptpro.top
ymortgagebusinesssucks.shop
931.bet
ruise-jobs-39837.bond
nglessemneura.shop
sed-cars-81272.bond
34679.sbs
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/4368-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4368-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3916-26-0x0000000001200000-0x000000000122F000-memory.dmp formbook -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 4160 name.exe -
resource yara_rule behavioral2/memory/4560-0-0x00000000000B0000-0x00000000002BB000-memory.dmp upx behavioral2/files/0x0007000000023625-6.dat upx behavioral2/memory/4160-7-0x0000000000C50000-0x0000000000E5B000-memory.dmp upx behavioral2/memory/4560-10-0x00000000000B0000-0x00000000002BB000-memory.dmp upx behavioral2/memory/4160-18-0x0000000000C50000-0x0000000000E5B000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4560-10-0x00000000000B0000-0x00000000002BB000-memory.dmp autoit_exe behavioral2/memory/4160-18-0x0000000000C50000-0x0000000000E5B000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4160 set thread context of 4368 4160 name.exe 90 PID 4368 set thread context of 3412 4368 svchost.exe 55 PID 3916 set thread context of 3412 3916 cscript.exe 55 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 4368 svchost.exe 4368 svchost.exe 4368 svchost.exe 4368 svchost.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe 3916 cscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4160 name.exe 4368 svchost.exe 4368 svchost.exe 4368 svchost.exe 3916 cscript.exe 3916 cscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4368 svchost.exe Token: SeDebugPrivilege 3916 cscript.exe Token: SeShutdownPrivilege 3412 Explorer.EXE Token: SeCreatePagefilePrivilege 3412 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 4160 name.exe 4160 name.exe 3412 Explorer.EXE 3412 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 4160 name.exe 4160 name.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4560 wrote to memory of 4160 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 89 PID 4560 wrote to memory of 4160 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 89 PID 4560 wrote to memory of 4160 4560 RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe 89 PID 4160 wrote to memory of 4368 4160 name.exe 90 PID 4160 wrote to memory of 4368 4160 name.exe 90 PID 4160 wrote to memory of 4368 4160 name.exe 90 PID 4160 wrote to memory of 4368 4160 name.exe 90 PID 3412 wrote to memory of 3916 3412 Explorer.EXE 91 PID 3412 wrote to memory of 3916 3412 Explorer.EXE 91 PID 3412 wrote to memory of 3916 3412 Explorer.EXE 91 PID 3916 wrote to memory of 1636 3916 cscript.exe 96 PID 3916 wrote to memory of 1636 3916 cscript.exe 96 PID 3916 wrote to memory of 1636 3916 cscript.exe 96
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:81⤵PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD524384a38aea837fb10ebf501e11c6915
SHA1bb5f74351cdcfb9bd9f6090b75cc090747367a07
SHA25686e3b42ec3f81012f9165050301302986483ebb94769ff9f9ec4cf71372278c4
SHA51202351a1302b8c6b2ff977d69fcfdf1b490c6e7e6fd13375b3d658a305f1419ee713bdccb1b539f76b5126d45994d19b00926d2fc71cbbe824d487ac57a81f7a8
-
Filesize
959KB
MD5a4be50bb39110e49c1d2fc87ccc12f56
SHA1ffc4874f95b0c774ad54988350128eadfaeebc23
SHA256b967a8b7765a762514d4b8d172fabb655af83d7279fd15cd513e217675ce96a9
SHA512241476b5ab26dc7a8673daca8cb6b76b46b9e87092e09e7db643368b8514d439e1bf502a42b9f6b082ce2fc92c3ca2141bd34e8068bc77820c06d4892242f575