Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a3d145e3c7...f2.exe

windows7-x64

10

a3d145e3c7...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2024, 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe

  • Size

    771KB

  • MD5

    061af339cbf1835f53f9b84ff1c49c21

  • SHA1

    7da36c353e199e2c097233653d48b26ae3de0c43

  • SHA256

    a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2

  • SHA512

    ba657afd8c62539d93f696fcc0a2c0ea4315f5172592cdddbf9aae9f686d8193bad5a6419fd50d08df5fdb537f9ebaf3a5f61261f822b67f76695d0bf2dd9f42

  • SSDEEP

    12288:4X3bbJTSjkURroDEor+HXtqbL2cikjfCYV:k3RInyysbL2cr

Score
10/10
formbooko27jdiscoveryevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o27j

Decoy

jimchim.club

aerovistasllc.com

gpdy5-zxs4j-8-ee.xyz

ilzro.tech

tesringnyc.com

dubulk.com

humiservice.com

torrentpa.com

kiralikbahisayfalari.com

tokoporn.xyz

pihgos.xyz

ultimateguirtar.com

awanpetir.com

mywafflehelps.com

synergy.cfd

spatialdraftingsolutions.com

psmf.xyz

jazzontime.com

blns-law.com

more2moors.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 1 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe
    "C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3236
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtHrTmufpkwAg.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3472
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtHrTmufpkwAg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FEB.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4692
    • C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe
      "C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"
      2⤵
        PID:1872
      • C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe
        "C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      723bad859f3e9aad01a3ae7bd8be8c4c

      SHA1

      eb2d782ca34b871dfb8f4cd778c91539e8e91195

      SHA256

      a0aedc654851469b23b02f3bd3b7fcc9004b8e939dafe9b95865e7cb2fcd41e7

      SHA512

      88a2c0d53606b6c7c8dddac5f0d5ba60b4efc175575da7adf1b45994bf41a6e84ac36b92bad82413ba734e3ff9c1943ccaf06600829cac3785e40e825f0d69d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wnrfoqh.vth.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp6FEB.tmp
      Filesize

      1KB

      MD5

      48460c1a96d3ca01d3dcaaba634966f4

      SHA1

      646ed2c595f8bc99a55a825e09a072a0d9505cec

      SHA256

      00d0e7cc775c3b6cf3a0289b422e9cbf314cd126e273c428ca782676ab3507c2

      SHA512

      e565893d306ac5709fb867f6516de3c0df3cb4fc418f09e6a999d5ab81b2e087ff0df2a9d37db8853192f5b410d3edb6389482733f35c5d4ab6cd9b9e580d1f6

      Download Submit

    • memory/3236-74-0x0000000006FF0000-0x000000000700A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3236-75-0x0000000007060000-0x000000000706A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3236-48-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3236-88-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3236-81-0x0000000007310000-0x0000000007318000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3236-80-0x0000000007330000-0x000000000734A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3236-79-0x0000000007230000-0x0000000007244000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3236-78-0x0000000007220000-0x000000000722E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3236-13-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3236-14-0x0000000004D90000-0x00000000053B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3236-12-0x0000000004720000-0x0000000004756000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3236-15-0x0000000004BE0000-0x0000000004C02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3236-16-0x00000000053C0000-0x0000000005426000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3236-77-0x00000000071F0000-0x0000000007201000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3236-26-0x0000000005690000-0x00000000059E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3236-31-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3236-76-0x0000000007270000-0x0000000007306000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3236-73-0x0000000007630000-0x0000000007CAA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3236-52-0x0000000075C00000-0x0000000075C4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3236-49-0x0000000005D30000-0x0000000005D7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3472-72-0x0000000007360000-0x0000000007403000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3472-87-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3472-32-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3472-51-0x0000000075C00000-0x0000000075C4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3472-50-0x0000000007120000-0x0000000007152000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3472-71-0x00000000070E0000-0x00000000070FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3472-34-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4156-45-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4952-3-0x00000000054B0000-0x0000000005542000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4952-10-0x0000000008520000-0x0000000008598000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4952-0-0x000000007535E000-0x000000007535F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4952-44-0x00000000068E0000-0x0000000006914000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4952-6-0x00000000057E0000-0x00000000057F6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4952-4-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4952-11-0x0000000008630000-0x0000000008696000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4952-5-0x00000000053E0000-0x00000000053EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4952-9-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4952-8-0x000000007535E000-0x000000007535F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4952-7-0x00000000080F0000-0x000000000818C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4952-47-0x0000000075350000-0x0000000075B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4952-2-0x0000000005A60000-0x0000000006004000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4952-1-0x0000000000930000-0x00000000009F8000-memory.dmp

      Filesize

      800KB

      Download