Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/09/2024, 10:16

General

  • Target

    RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe

  • Size

    959KB

  • MD5

    a4be50bb39110e49c1d2fc87ccc12f56

  • SHA1

    ffc4874f95b0c774ad54988350128eadfaeebc23

  • SHA256

    b967a8b7765a762514d4b8d172fabb655af83d7279fd15cd513e217675ce96a9

  • SHA512

    241476b5ab26dc7a8673daca8cb6b76b46b9e87092e09e7db643368b8514d439e1bf502a42b9f6b082ce2fc92c3ca2141bd34e8068bc77820c06d4892242f575

  • SSDEEP

    24576:hiUmSB/o5d1ubcvLiUlytyo/bfUbycmjNlscnVDO8TR+KDV:h/mU/ohubcvhMXQb6kcROgIKD

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs26

Decoy

bhkflatforsale.today

89486.cyou

asstortlawsuit-26.today

935fkg.top

lanetaryadventure.website

5-77.xyz

yankosensei.top

esasi.boats

ortasmundial.online

gfo.net

mhgriu.xyz

440.top

52zh366hq.bond

arage-door-tab.fun

heriffburns.info

ndogamingslot.club

lrinstlusa.today

ssdefdhet.fun

dbg.net

ome-remodeling-82737.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Users\Admin\AppData\Local\directory\name.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4368
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1636
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
    1⤵
      PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\orographically

      Filesize

      185KB

      MD5

      24384a38aea837fb10ebf501e11c6915

      SHA1

      bb5f74351cdcfb9bd9f6090b75cc090747367a07

      SHA256

      86e3b42ec3f81012f9165050301302986483ebb94769ff9f9ec4cf71372278c4

      SHA512

      02351a1302b8c6b2ff977d69fcfdf1b490c6e7e6fd13375b3d658a305f1419ee713bdccb1b539f76b5126d45994d19b00926d2fc71cbbe824d487ac57a81f7a8

    • C:\Users\Admin\AppData\Local\directory\name.exe

      Filesize

      959KB

      MD5

      a4be50bb39110e49c1d2fc87ccc12f56

      SHA1

      ffc4874f95b0c774ad54988350128eadfaeebc23

      SHA256

      b967a8b7765a762514d4b8d172fabb655af83d7279fd15cd513e217675ce96a9

      SHA512

      241476b5ab26dc7a8673daca8cb6b76b46b9e87092e09e7db643368b8514d439e1bf502a42b9f6b082ce2fc92c3ca2141bd34e8068bc77820c06d4892242f575

    • memory/3412-23-0x0000000002C90000-0x0000000002D65000-memory.dmp

      Filesize

      852KB

    • memory/3412-34-0x0000000002B30000-0x0000000002C20000-memory.dmp

      Filesize

      960KB

    • memory/3412-32-0x0000000002B30000-0x0000000002C20000-memory.dmp

      Filesize

      960KB

    • memory/3412-31-0x0000000002B30000-0x0000000002C20000-memory.dmp

      Filesize

      960KB

    • memory/3412-27-0x0000000002C90000-0x0000000002D65000-memory.dmp

      Filesize

      852KB

    • memory/3916-26-0x0000000001200000-0x000000000122F000-memory.dmp

      Filesize

      188KB

    • memory/3916-25-0x00000000001D0000-0x00000000001F7000-memory.dmp

      Filesize

      156KB

    • memory/3916-24-0x00000000001D0000-0x00000000001F7000-memory.dmp

      Filesize

      156KB

    • memory/4160-18-0x0000000000C50000-0x0000000000E5B000-memory.dmp

      Filesize

      2.0MB

    • memory/4160-14-0x0000000003790000-0x0000000003990000-memory.dmp

      Filesize

      2.0MB

    • memory/4160-7-0x0000000000C50000-0x0000000000E5B000-memory.dmp

      Filesize

      2.0MB

    • memory/4368-19-0x0000000000E00000-0x000000000114A000-memory.dmp

      Filesize

      3.3MB

    • memory/4368-22-0x0000000000D70000-0x0000000000D84000-memory.dmp

      Filesize

      80KB

    • memory/4368-21-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4368-16-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4560-0-0x00000000000B0000-0x00000000002BB000-memory.dmp

      Filesize

      2.0MB

    • memory/4560-10-0x00000000000B0000-0x00000000002BB000-memory.dmp

      Filesize

      2.0MB

    • memory/4560-3-0x00000000044E0000-0x00000000046E0000-memory.dmp

      Filesize

      2.0MB