Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 00:33 UTC

General

  • Target

    inquiry.exe

  • Size

    1.1MB

  • MD5

    bdcaea5a90a95e1ac6e710c7eb59d6e5

  • SHA1

    41ad452e6ab3a2d3ff745b4936623e426a9a882e

  • SHA256

    4bf978ec447793b5945d346db1d2c4f9585cd9314071f13a79bb070577419696

  • SHA512

    48dd28be3df0d5c8c9fd1e8f091c1827d8b3686406550d3f25ef32a9b5bc1da50a5a812c4daa9744adfd6655d8165b0d2ce8dc42b4819cfdb6c1f792bcdfa3aa

  • SSDEEP

    24576:ztb20pkaCqT5TBWgNQ7aKN00yvWi8JXIREMs6A:wVg5tQ7aK6DSlV5

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cl21

Decoy

0001.shop

earch-parttimejobs.today

are888.top

akanhaunthipped.shop

othing-heyu.xyz

cadvirsor.net

nclanalae.shop

lectric-cars-mexico.today

oxj-question.xyz

ersonalloanoffers.today

ersonalloans-fo54-fo37.click

verybody-ewfx.xyz

ercuremontauban.media

azilimdunyam.net

airs-clinicato.today

wiftsscend.click

ertainly-jbws.xyz

8xeng.app

damekadmitageable.cfd

ollapsedec.shop

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\inquiry.exe
      "C:\Users\Admin\AppData\Local\Temp\inquiry.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\inquiry.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4880
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4208

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    96.36.72.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.36.72.23.in-addr.arpa
    IN PTR
    Response
    96.36.72.23.in-addr.arpa
    IN PTR
    a23-72-36-96deploystaticakamaitechnologiescom
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.ollapsedec.shop
    Remote address:
    8.8.8.8:53
    Request
    www.ollapsedec.shop
    IN A
    Response
  • flag-us
    DNS
    www.ollapsedec.shop
    Remote address:
    8.8.8.8:53
    Request
    www.ollapsedec.shop
    IN A
    Response
  • flag-us
    DNS
    www.xrjgq-prepare.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.xrjgq-prepare.xyz
    IN A
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.ingledatings46.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.ingledatings46.xyz
    IN A
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.qbdl-base.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.qbdl-base.xyz
    IN A
    Response
  • flag-us
    DNS
    www.rsenalatamanaxweed.shop
    Remote address:
    8.8.8.8:53
    Request
    www.rsenalatamanaxweed.shop
    IN A
    Response
  • flag-us
    DNS
    www.ultplanlz.click
    Remote address:
    8.8.8.8:53
    Request
    www.ultplanlz.click
    IN A
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    96.36.72.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    96.36.72.23.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    www.ollapsedec.shop
    dns
    130 B
    244 B
    2
    2

    DNS Request

    www.ollapsedec.shop

    DNS Request

    www.ollapsedec.shop

  • 8.8.8.8:53
    www.xrjgq-prepare.xyz
    dns
    67 B
    132 B
    1
    1

    DNS Request

    www.xrjgq-prepare.xyz

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    www.ingledatings46.xyz
    dns
    68 B
    133 B
    1
    1

    DNS Request

    www.ingledatings46.xyz

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    www.qbdl-base.xyz
    dns
    63 B
    128 B
    1
    1

    DNS Request

    www.qbdl-base.xyz

  • 8.8.8.8:53
    www.rsenalatamanaxweed.shop
    dns
    73 B
    130 B
    1
    1

    DNS Request

    www.rsenalatamanaxweed.shop

  • 8.8.8.8:53
    www.ultplanlz.click
    dns
    65 B
    130 B
    1
    1

    DNS Request

    www.ultplanlz.click

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1560-6-0x00000000013B0000-0x00000000017B0000-memory.dmp

    Filesize

    4.0MB

  • memory/3452-17-0x0000000002B60000-0x0000000002CD9000-memory.dmp

    Filesize

    1.5MB

  • memory/3452-24-0x0000000008C60000-0x0000000008DED000-memory.dmp

    Filesize

    1.6MB

  • memory/3452-22-0x0000000008C60000-0x0000000008DED000-memory.dmp

    Filesize

    1.6MB

  • memory/3452-21-0x0000000008C60000-0x0000000008DED000-memory.dmp

    Filesize

    1.6MB

  • memory/3452-12-0x0000000002B60000-0x0000000002CD9000-memory.dmp

    Filesize

    1.5MB

  • memory/4880-11-0x0000000001740000-0x0000000001754000-memory.dmp

    Filesize

    80KB

  • memory/4880-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4880-8-0x0000000001200000-0x000000000154A000-memory.dmp

    Filesize

    3.3MB

  • memory/4880-7-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5088-15-0x00000000001D0000-0x00000000001E4000-memory.dmp

    Filesize

    80KB

  • memory/5088-16-0x0000000000E00000-0x0000000000E2F000-memory.dmp

    Filesize

    188KB

  • memory/5088-13-0x00000000001D0000-0x00000000001E4000-memory.dmp

    Filesize

    80KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.