Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

1dab7f07bf...14.exe

windows7-x64

10

1dab7f07bf...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 06:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1dab7f07bfa344e601226bc0657decbabd3b421fd207e031ae99ccfbc5637414.exe

  • Size

    772KB

  • MD5

    96df83409286c456fa56c37a0d5098be

  • SHA1

    9140c707f2e625caa4f300ccbc2c1f7136048b64

  • SHA256

    1dab7f07bfa344e601226bc0657decbabd3b421fd207e031ae99ccfbc5637414

  • SHA512

    3ea8150f356a1ba5ab75f6d49db8fa7e0cc86aa850575f605df308de4ba9248739745f5ade53135ac5be167abeb5246b0452141091a3665f0ff19f09e806557f

  • SSDEEP

    12288:v6Wq4aaE6KwyF5L0Y2D1PqLv/ZbzqgYP1Q7aem6GKxA4ElbxKEfbOeuOU5Km3awZ:tthEVaPqLv/Eb2nm8VEHffb/U5Km3ZkG

Score
10/10
formbookc89pdiscoveryratspywarestealertrojanupx

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c89p

Decoy

ftersaleb.top

dcustomdesgins.net

ostbet2024.live

rhgtrdjdjytkyhretrdjfytd.buzz

atauniversity.tech

idoctor365.net

x-design-courses-29670.bond

ellowold-pc.top

ransportationmmsytpro.top

areerfest.xyz

artiresbah-in.today

ijie.pro

torehousestudio.info

69-11-luxury-watches.shop

earing-tests-44243.bond

hits.shop

hzl9.bond

lood-test-jp-1.bond

livialiving.online

usymomsmakingmoney.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\1dab7f07bfa344e601226bc0657decbabd3b421fd207e031ae99ccfbc5637414.exe
      "C:\Users\Admin\AppData\Local\Temp\1dab7f07bfa344e601226bc0657decbabd3b421fd207e031ae99ccfbc5637414.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\1dab7f07bfa344e601226bc0657decbabd3b421fd207e031ae99ccfbc5637414.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1336

Network

  • flag-us
    DNS
    www.un-sea.fun
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.un-sea.fun
    IN A
    Response
  • flag-us
    DNS
    www.aycare-service-99683.bond
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.aycare-service-99683.bond
    IN A
    Response
  • flag-us
    DNS
    www.iam-saaab.buzz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.iam-saaab.buzz
    IN A
    Response
  • flag-us
    DNS
    www.oursmile.vip
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.oursmile.vip
    IN A
    Response
  • flag-us
    DNS
    www.okenexchange.art
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.okenexchange.art
    IN A
    Response
  • flag-us
    DNS
    www.ldkp.net
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ldkp.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.un-sea.fun
    dns
    Explorer.EXE
    60 B
     125 B
     1
    1

    DNS Request

    www.un-sea.fun

  • 8.8.8.8:53
    www.aycare-service-99683.bond
    dns
    Explorer.EXE
    75 B
     140 B
     1
    1

    DNS Request

    www.aycare-service-99683.bond

  • 8.8.8.8:53
    www.iam-saaab.buzz
    dns
    Explorer.EXE
    64 B
     131 B
     1
    1

    DNS Request

    www.iam-saaab.buzz

  • 8.8.8.8:53
    www.oursmile.vip
    dns
    Explorer.EXE
    62 B
     123 B
     1
    1

    DNS Request

    www.oursmile.vip

  • 8.8.8.8:53
    www.okenexchange.art
    dns
    Explorer.EXE
    66 B
     131 B
     1
    1

    DNS Request

    www.okenexchange.art

  • 8.8.8.8:53
    www.ldkp.net
    dns
    Explorer.EXE
    58 B
     131 B
     1
    1

    DNS Request

    www.ldkp.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1192-12-0x0000000004DF0000-0x0000000004EB4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/1192-25-0x0000000005410000-0x000000000550D000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/1192-23-0x0000000005410000-0x000000000550D000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/1192-22-0x0000000005410000-0x000000000550D000-memory.dmp

    Filesize

    1012KB

    Download

  • memory/1192-16-0x0000000004DF0000-0x0000000004EB4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2156-15-0x0000000000090000-0x00000000000BF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2156-13-0x0000000000060000-0x000000000006D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2156-14-0x0000000000060000-0x000000000006D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2388-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2388-11-0x0000000000180000-0x0000000000194000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2388-8-0x0000000000A20000-0x0000000000D23000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2388-4-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3040-0-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3040-7-0x0000000003720000-0x0000000003920000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-6-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3040-3-0x0000000003720000-0x0000000003920000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3040-2-0x0000000003720000-0x0000000003920000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.