Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2024, 21:44
Static task
static1
Behavioral task
behavioral1
Sample
a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe
Resource
win7-20240729-en
General
-
Target
a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe
-
Size
771KB
-
MD5
061af339cbf1835f53f9b84ff1c49c21
-
SHA1
7da36c353e199e2c097233653d48b26ae3de0c43
-
SHA256
a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2
-
SHA512
ba657afd8c62539d93f696fcc0a2c0ea4315f5172592cdddbf9aae9f686d8193bad5a6419fd50d08df5fdb537f9ebaf3a5f61261f822b67f76695d0bf2dd9f42
-
SSDEEP
12288:4X3bbJTSjkURroDEor+HXtqbL2cikjfCYV:k3RInyysbL2cr
Malware Config
Extracted
formbook
4.1
o27j
jimchim.club
aerovistasllc.com
gpdy5-zxs4j-8-ee.xyz
ilzro.tech
tesringnyc.com
dubulk.com
humiservice.com
torrentpa.com
kiralikbahisayfalari.com
tokoporn.xyz
pihgos.xyz
ultimateguirtar.com
awanpetir.com
mywafflehelps.com
synergy.cfd
spatialdraftingsolutions.com
psmf.xyz
jazzontime.com
blns-law.com
more2moors.com
raickle.xyz
youguo001.xyz
fashiondelightful.quest
tshxpw.com
xn--sjqz3uqybb4fc7lu2b7zi.site
zzylmjj.com
rubymine.site
hunnong.top
uz9.bet
fidfaplus.com
halal-thuisbezorgd.site
lifestyleonlineshopping.com
waterbasedcamp.events
ivettezketodietofficial.site
aid-nongyankeji.site
cidgesg.site
stonedogpizza.com
xn--uis76cg5sy3cm9rrsc.site
expert-ceramic.com
50yearson.com
roosandroos.com
trapfreedombeatz.com
welcometoparadise-mc.com
kevinbrightstudio.com
week-lifecircle.com
43499v.com
jpsgb.xyz
eaem.xyz
soprintpcs.com
index-courierservices.xyz
finneybussa.com
respectiveusketo.site
nashvilleweddingshop.com
opptify.com
terra-station-walet.store
salamb.site
tiendalondonparis.com
brightmindsacademypcs.com
forteefy.com
3587office.com
hancydesigngroup.com
integral-erp.tech
lossvalue.com
uzumluvilla.com
decentralised-protection.tech
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/4156-45-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3236 powershell.exe 3472 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4952 set thread context of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3236 powershell.exe 3472 powershell.exe 3236 powershell.exe 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 4156 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 4156 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 3472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3236 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 91 PID 4952 wrote to memory of 3236 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 91 PID 4952 wrote to memory of 3236 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 91 PID 4952 wrote to memory of 3472 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 93 PID 4952 wrote to memory of 3472 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 93 PID 4952 wrote to memory of 3472 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 93 PID 4952 wrote to memory of 4692 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 95 PID 4952 wrote to memory of 4692 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 95 PID 4952 wrote to memory of 4692 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 95 PID 4952 wrote to memory of 1872 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 97 PID 4952 wrote to memory of 1872 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 97 PID 4952 wrote to memory of 1872 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 97 PID 4952 wrote to memory of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98 PID 4952 wrote to memory of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98 PID 4952 wrote to memory of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98 PID 4952 wrote to memory of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98 PID 4952 wrote to memory of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98 PID 4952 wrote to memory of 4156 4952 a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gtHrTmufpkwAg.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gtHrTmufpkwAg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FEB.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"2⤵PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"C:\Users\Admin\AppData\Local\Temp\a3d145e3c72db7ea3e18a306410a0445222a8ce83235794dc404dd470843caf2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4156
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5723bad859f3e9aad01a3ae7bd8be8c4c
SHA1eb2d782ca34b871dfb8f4cd778c91539e8e91195
SHA256a0aedc654851469b23b02f3bd3b7fcc9004b8e939dafe9b95865e7cb2fcd41e7
SHA51288a2c0d53606b6c7c8dddac5f0d5ba60b4efc175575da7adf1b45994bf41a6e84ac36b92bad82413ba734e3ff9c1943ccaf06600829cac3785e40e825f0d69d0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD548460c1a96d3ca01d3dcaaba634966f4
SHA1646ed2c595f8bc99a55a825e09a072a0d9505cec
SHA25600d0e7cc775c3b6cf3a0289b422e9cbf314cd126e273c428ca782676ab3507c2
SHA512e565893d306ac5709fb867f6516de3c0df3cb4fc418f09e6a999d5ab81b2e087ff0df2a9d37db8853192f5b410d3edb6389482733f35c5d4ab6cd9b9e580d1f6