Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
246s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
DHL-SHIPPING-DOC-PDF.exe
Resource
win7-20240903-en
General
-
Target
DHL-SHIPPING-DOC-PDF.exe
-
Size
620KB
-
MD5
a43cc03d734b4becbab994c00a2616bc
-
SHA1
e6bf1562c7c898572c65f47c949466a77da869c5
-
SHA256
965a24873fd5b2b10bf655cb07c4fcf6308981caac305b1e0a15d2332ae779b2
-
SHA512
9282a26ef04ed2456bed6cd3f5f159ce9e0b1902a36efddcf69ce6bb5a33b71e09284f0d7f5f2f3b40a5d520177075eb1eb9d6dcf7b6cc0a273eff20e68e8fc6
-
SSDEEP
12288:KOK/Jtxt1JiTwtOZZBFdctsKdKyBp+dqnHcaI97yNtQ8bQbcEukR:K5/hostOZZrWlFNcaI97MTIcE1
Malware Config
Extracted
formbook
4.1
mu94
thenextamendment.net
automatiza.xyz
psikologhazelgungor.com
90857.net
robertoblondetrealtor.site
rv0awy.rest
74657.ooo
adigidea.com
world-healing.online
health4world.com
shyan.fun
anviltotable.com
vinger.online
juizltd.com
twmk.asia
cakescrushbyruby.com
listxtreme.com
00050026.xyz
finessedesignhouse.com
jsmm-27.xyz
privet128.band
wyhl668.top
crystalcornerdesignn.com
kameltoe2024.xyz
mwquas.xyz
bt365860.com
c2r2h.xyz
bregylzj.xyz
dxlhu.asia
mythandbody.com
7y-sorte.net
gameogem.com
yourhug.xyz
reviewfreak.net
langitwin.lol
jkku2.rest
het789.com
cn00417984.shop
ry5ls1e02ai.top
cathedrals.shop
kaaatooni.com
ctventure.net
50732650.com
699519f.xyz
sailors.solutions
couples-therapy-39471.bond
eco-liga.com
youngtv.net
31hum.com
cocaincoutre.com
kzliw.xyz
online-business-70709.bond
cleliasfamilychildcare.com
commonhype.dev
tufabricadefiestas.com
playstayaussie.com
best-precious.com
kbk99.fun
cprcertificationcoach.com
mysleepfriend.shop
bt365437.com
rajasusu.pics
youtuberjumpstart.com
bfgj46578456454.vip
dmvdrivingpermit.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2844-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2844-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2844-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1344-30-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 1892 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2752 set thread context of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2844 set thread context of 1264 2844 DHL-SHIPPING-DOC-PDF.exe 21 PID 2844 set thread context of 1264 2844 DHL-SHIPPING-DOC-PDF.exe 21 PID 1344 set thread context of 1264 1344 systray.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL-SHIPPING-DOC-PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1892 cmd.exe 2752 DHL-SHIPPING-DOC-PDF.exe 2848 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2752 DHL-SHIPPING-DOC-PDF.exe 2752 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe 1344 systray.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2844 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe 2844 DHL-SHIPPING-DOC-PDF.exe 1344 systray.exe 1344 systray.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2752 DHL-SHIPPING-DOC-PDF.exe Token: SeDebugPrivilege 2844 DHL-SHIPPING-DOC-PDF.exe Token: SeDebugPrivilege 1344 systray.exe Token: SeShutdownPrivilege 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2848 2752 DHL-SHIPPING-DOC-PDF.exe 30 PID 2752 wrote to memory of 2848 2752 DHL-SHIPPING-DOC-PDF.exe 30 PID 2752 wrote to memory of 2848 2752 DHL-SHIPPING-DOC-PDF.exe 30 PID 2752 wrote to memory of 2848 2752 DHL-SHIPPING-DOC-PDF.exe 30 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 2752 wrote to memory of 2844 2752 DHL-SHIPPING-DOC-PDF.exe 31 PID 1264 wrote to memory of 1344 1264 Explorer.EXE 32 PID 1264 wrote to memory of 1344 1264 Explorer.EXE 32 PID 1264 wrote to memory of 1344 1264 Explorer.EXE 32 PID 1264 wrote to memory of 1344 1264 Explorer.EXE 32 PID 1344 wrote to memory of 1892 1344 systray.exe 33 PID 1344 wrote to memory of 1892 1344 systray.exe 33 PID 1344 wrote to memory of 1892 1344 systray.exe 33 PID 1344 wrote to memory of 1892 1344 systray.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"3⤵
- Suspicious use of SetThreadContext
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-DOC-PDF.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1892
-
-