Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

c5a0052ac6...ba.exe

windows7-x64

10

c5a0052ac6...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2024, 02:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5a0052ac65201d36e99aa9719bb2daaae6d2faf98941a2b4f5c12a5946934ba.exe

  • Size

    1.3MB

  • MD5

    9dba20e8a9b2ba8aaa80da65d85daea4

  • SHA1

    d652d051654c475c11f362104c80fb1a69ecd282

  • SHA256

    c5a0052ac65201d36e99aa9719bb2daaae6d2faf98941a2b4f5c12a5946934ba

  • SHA512

    b78411da91706f35af5d11d149ac0eecc1a7c6637e8c9567512c2cb510c5824e4a6a63b13838f6ad55e87df6a36391295b0f5e9a91982f37c967832ad0721ce4

  • SSDEEP

    24576:vtb20pkaCqT5TBWgNQ7aFokJHs8qKo10IiGgvuP5Kg6A:sVg5tQ7aukJHtqKo10IiJv25

Score
10/10
formbookud04discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ud04

Decoy

oum7.pro

ovonordisk.online

akrzus.pro

tendmtedcpsa.site

mm.foo

animevyhgsft29817.click

digdxxb.info

1130.vip

uy-now-pay-later-74776.bond

ybzert.online

edcn.link

rime-flow-bay.xyz

nd777id.beauty

otoyama.shop

lranchomx.xyz

unluoren.top

uglesang-troms.net

udulbet88.net

raquewear.shop

ijanarko.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\c5a0052ac65201d36e99aa9719bb2daaae6d2faf98941a2b4f5c12a5946934ba.exe
      "C:\Users\Admin\AppData\Local\Temp\c5a0052ac65201d36e99aa9719bb2daaae6d2faf98941a2b4f5c12a5946934ba.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\c5a0052ac65201d36e99aa9719bb2daaae6d2faf98941a2b4f5c12a5946934ba.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2316

Network

  • flag-us
    DNS
    www.iuxy.host
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.iuxy.host
    IN A
    Response
  • flag-us
    DNS
    www.raquewear.shop
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.raquewear.shop
    IN A
    Response
  • flag-us
    DNS
    www.oum7.pro
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.oum7.pro
    IN A
    Response
  • flag-us
    DNS
    www.2creativedesign.online
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.2creativedesign.online
    IN A
    Response
  • flag-us
    DNS
    www.alance-ton-budget.net
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.alance-ton-budget.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.iuxy.host
    dns
    Explorer.EXE
    59 B
     124 B
     1
    1

    DNS Request

    www.iuxy.host

  • 8.8.8.8:53
    www.raquewear.shop
    dns
    Explorer.EXE
    64 B
     121 B
     1
    1

    DNS Request

    www.raquewear.shop

  • 8.8.8.8:53
    www.oum7.pro
    dns
    Explorer.EXE
    58 B
     140 B
     1
    1

    DNS Request

    www.oum7.pro

  • 8.8.8.8:53
    www.2creativedesign.online
    dns
    Explorer.EXE
    72 B
     137 B
     1
    1

    DNS Request

    www.2creativedesign.online

  • 8.8.8.8:53
    www.alance-ton-budget.net
    dns
    Explorer.EXE
    71 B
     144 B
     1
    1

    DNS Request

    www.alance-ton-budget.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-18-0x0000000004F70000-0x0000000005050000-memory.dmp

    Filesize

    896KB

    Download

  • memory/1100-27-0x00000000050E0000-0x00000000051E7000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1100-25-0x00000000050E0000-0x00000000051E7000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1100-11-0x0000000003B70000-0x0000000003C70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1100-13-0x0000000004F70000-0x0000000005050000-memory.dmp

    Filesize

    896KB

    Download

  • memory/1100-24-0x00000000050E0000-0x00000000051E7000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2160-6-0x00000000006D0000-0x0000000000AD0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2180-14-0x0000000000E00000-0x0000000000E1F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2180-16-0x0000000000E00000-0x0000000000E1F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2180-17-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2364-12-0x0000000000250000-0x0000000000264000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2364-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2364-8-0x0000000000700000-0x0000000000A03000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2364-7-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.