Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

Payment_Ad...df.exe

windows7-x64

10

Payment_Ad...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 08:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Advice pdf.exe

  • Size

    1.2MB

  • MD5

    6cf9d0cd325beeb461dbe39c74483686

  • SHA1

    71792078df265b5aef884d7f3710a24d11088262

  • SHA256

    cea476506bdbb5781b4fc674b15a0d15c1be4e7459a0b0bdd7132e1d406a226e

  • SHA512

    4ec448183d6c49c82e4086b8a1a3a7d0118ee10e420615cf58a3eaa5097a15c5903d3614616634cc692172a75f6982448263b159e252a84a2a4e426cc2e72f8e

  • SSDEEP

    24576:PCdxte/80jYLT3U1jfsWa32BvSTGU7hHtQ:Ow80cTsjkWa3e69c

Score
10/10
formbookk94gdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k94g

Decoy

nstandgoz.xyz

dhd-treatment-37310.bond

13s-braces-us-ze.fun

umdona.shop

96ph803ql.bond

kka9max.net

corporate-10.xyz

edicalassistance869840.online

lobalresources-bh.xyz

3145978.xyz

ovdaawebsite.online

etting-thailand.net

icloud.xyz

poxk.shop

25ks-ls72510.cyou

women.info

iwyrfbfvhv9.asia

luratu.xyz

ffordable-power-charger.today

edanuryilmaz.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\Payment_Advice pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment_Advice pdf.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\lustring\reindulgence.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment_Advice pdf.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\Payment_Advice pdf.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2820
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2556

Network

  • flag-us
    DNS
    www.icloud.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.icloud.xyz
    IN A
    Response
  • flag-us
    DNS
    www.ovdaawebsite.online
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ovdaawebsite.online
    IN A
    Response
  • flag-us
    DNS
    www.ugold-ss2.net
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ugold-ss2.net
    IN A
    Response
  • flag-us
    DNS
    www.uvs-in-au.today
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.uvs-in-au.today
    IN A
    Response
  • flag-us
    DNS
    www.tockportflat.earth
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.tockportflat.earth
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.icloud.xyz
    dns
    Explorer.EXE
    60 B
     124 B
     1
    1

    DNS Request

    www.icloud.xyz

  • 8.8.8.8:53
    www.ovdaawebsite.online
    dns
    Explorer.EXE
    69 B
     134 B
     1
    1

    DNS Request

    www.ovdaawebsite.online

  • 8.8.8.8:53
    www.ugold-ss2.net
    dns
    Explorer.EXE
    63 B
     136 B
     1
    1

    DNS Request

    www.ugold-ss2.net

  • 8.8.8.8:53
    www.uvs-in-au.today
    dns
    Explorer.EXE
    65 B
     133 B
     1
    1

    DNS Request

    www.uvs-in-au.today

  • 8.8.8.8:53
    www.tockportflat.earth
    dns
    Explorer.EXE
    68 B
     135 B
     1
    1

    DNS Request

    www.tockportflat.earth

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\lustring\reindulgence.exe
    Filesize

    1.2MB

    MD5

    6cf9d0cd325beeb461dbe39c74483686

    SHA1

    71792078df265b5aef884d7f3710a24d11088262

    SHA256

    cea476506bdbb5781b4fc674b15a0d15c1be4e7459a0b0bdd7132e1d406a226e

    SHA512

    4ec448183d6c49c82e4086b8a1a3a7d0118ee10e420615cf58a3eaa5097a15c5903d3614616634cc692172a75f6982448263b159e252a84a2a4e426cc2e72f8e

    Download Submit

  • memory/1196-42-0x00000000066E0000-0x00000000067E5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1196-40-0x00000000066E0000-0x00000000067E5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1196-39-0x00000000066E0000-0x00000000067E5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1196-33-0x0000000004C40000-0x0000000004CFE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/1196-27-0x0000000003E40000-0x0000000004040000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1196-28-0x0000000004C40000-0x0000000004CFE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2568-20-0x00000000008D0000-0x0000000000CD0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2604-6-0x00000000009B0000-0x0000000000DB0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2744-32-0x00000000000D0000-0x00000000000FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2744-29-0x0000000001110000-0x000000000111B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2744-31-0x0000000001110000-0x000000000111B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2820-25-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2820-26-0x00000000001E0000-0x00000000001F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2820-23-0x0000000000910000-0x0000000000C13000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2820-22-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.