Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2024, 14:25 UTC

General

  • Target

    03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

  • Size

    658KB

  • MD5

    c969389f57b8748516c408694e11189e

  • SHA1

    7ec5fbfe88a6a8d54c647bcc73ac315b513fca92

  • SHA256

    03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6

  • SHA512

    7826cf7c6dc9f556b885fcee682c70cfca2da36f4596838bee85427447d6b129e84d9d43e3a31935525bd21a3b1a5b16c17da0155b96ef7e4774099bfbef06db

  • SSDEEP

    12288:Ucir1S2IoOAc6/5rZGmy4unKZno/iDDjPPqmgucrl4M5iYXybz8xaMhLdrn8qdMW:1nK9o67ZguinMbIxaMhJD8yMEE0

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fh84

Decoy

mtzyn.top

zfn-no-hsts.win

j10g.xyz

arehouse-inventory-60572.bond

nlineprodutooffer.shop

ar-deals-77764.bond

e3m2.xyz

cquisitive.group

unkusol.xyz

01307.xyz

uratedcelebrations.net

nfiniworkshop-thai.online

s-cmc.net

idney360.info

ipolar-treatment-us-311-ze.zone

entenstituleridernegi.biz

olombiaoutlet.shop

uradab.rest

qega.shop

73519.vip

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
    "C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
      "C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe"
      2⤵
        PID:2124
      • C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
        "C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4252

    Network

    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      138.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      138.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      138.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      138.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4252-11-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4252-14-0x00000000016A0000-0x00000000019EA000-memory.dmp

      Filesize

      3.3MB

    • memory/5096-6-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

      Filesize

      4KB

    • memory/5096-3-0x0000000004CB0000-0x0000000004D42000-memory.dmp

      Filesize

      584KB

    • memory/5096-4-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

    • memory/5096-5-0x0000000004D80000-0x0000000004D8A000-memory.dmp

      Filesize

      40KB

    • memory/5096-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

      Filesize

      4KB

    • memory/5096-7-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

    • memory/5096-8-0x00000000050B0000-0x00000000050C2000-memory.dmp

      Filesize

      72KB

    • memory/5096-9-0x0000000007880000-0x00000000078F6000-memory.dmp

      Filesize

      472KB

    • memory/5096-10-0x000000000A010000-0x000000000A0AC000-memory.dmp

      Filesize

      624KB

    • memory/5096-2-0x0000000005260000-0x0000000005804000-memory.dmp

      Filesize

      5.6MB

    • memory/5096-13-0x0000000074F70000-0x0000000075720000-memory.dmp

      Filesize

      7.7MB

    • memory/5096-1-0x0000000000280000-0x000000000032A000-memory.dmp

      Filesize

      680KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.