Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 04:04
Static task
static1
Behavioral task
behavioral1
Sample
Project 88399287990.exe
Resource
win7-20241010-en
General
-
Target
Project 88399287990.exe
-
Size
622KB
-
MD5
3837485b707ee00ae594d8b339c56ece
-
SHA1
df8dab1ca8581cdf2c8de899d0d4a8df8ca8d24c
-
SHA256
71ef3a1c1b5deecad87d419dff14667503ffbfb7f5a16f5b53eda57ae33bde7b
-
SHA512
6a243b10b4e556d4cf6c95f5f7d534f0ec8bd32f6cb5c153abfbdf2dcaa04c6adcb122a42cccb882cee90c98b6d50fc04bb9355f0de7a82a27e615ae10c39ba6
-
SSDEEP
6144:UJ4uZ9l5FllawMqFj/02XzSlGDQNo/vSx2oJrZKhCuKEB96MFZN+4RSOKQm0umL:UJ4up5UwMqFjjU3QMVtuKEn6qq4I
Malware Config
Extracted
formbook
4.1
ksb
rbscotl.net
mimascota10.com
ncylis.com
mariemdonacosmetics.com
elitecleaningnow.com
stockvisioner.com
whatsmodish.com
paghaze.com
weargoodsport.com
alesspace.com
rajputboarding.com
ctezna.site
athetheist.com
neurologistaandreialamberti.com
pindaz.com
ericsklavos.com
icare4me.com
xn--pypl-qoac.com
52swith.com
chetansenterprises.com
partenit.online
palmssport.com
thelostyouthes.com
highfathers.com
gailrichardson.com
grupofrancogomez.com
ahoramuevetuvida.com
mauridep.com
nexthevoice.com
galerie-vivante.com
itkibfuarcilik.com
gabbierais.com
yogasueyoga.com
ohtunida.com
naturesfrequency.com
sexuallegends.com
chesstipster.com
princeofpalermo.com
quicklymarked.com
ormusgem.com
casnop.com
evonnemccrayjackson.com
chilangoentertainment.com
chuteboxema.com
soonrx.com
hisnhersbeautysupplyllc.com
wajuejij.com
mysupremepurpose.com
ensaniat.info
njlicaiwl.com
leadersforconsciouschange.net
thebusinessmanagementclub.com
findmeabus.com
finlab101.com
passionatelycuratedevents.com
colorblindwork.com
growth.run
doriswhite.com
raudlatulmuhibbin.com
lasenesesrl.online
lemstat.com
investoir.com
sawtoothseasonings.com
setuphunter.com
expensiveindia.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/372-31-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/372-42-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/372-93-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3676 powershell.exe 3232 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Project 88399287990.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3836 set thread context of 372 3836 Project 88399287990.exe 96 PID 372 set thread context of 3436 372 Project 88399287990.exe 56 PID 372 set thread context of 3436 372 Project 88399287990.exe 56 PID 3692 set thread context of 3436 3692 wlanext.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlanext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project 88399287990.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3676 powershell.exe 3836 Project 88399287990.exe 3676 powershell.exe 372 Project 88399287990.exe 372 Project 88399287990.exe 372 Project 88399287990.exe 372 Project 88399287990.exe 3232 powershell.exe 3232 powershell.exe 372 Project 88399287990.exe 372 Project 88399287990.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe 3692 wlanext.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 372 Project 88399287990.exe 372 Project 88399287990.exe 372 Project 88399287990.exe 372 Project 88399287990.exe 3692 wlanext.exe 3692 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 3836 Project 88399287990.exe Token: SeDebugPrivilege 372 Project 88399287990.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeDebugPrivilege 3692 wlanext.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3836 wrote to memory of 3676 3836 Project 88399287990.exe 91 PID 3836 wrote to memory of 3676 3836 Project 88399287990.exe 91 PID 3836 wrote to memory of 3676 3836 Project 88399287990.exe 91 PID 3836 wrote to memory of 3348 3836 Project 88399287990.exe 93 PID 3836 wrote to memory of 3348 3836 Project 88399287990.exe 93 PID 3836 wrote to memory of 3348 3836 Project 88399287990.exe 93 PID 3836 wrote to memory of 3232 3836 Project 88399287990.exe 95 PID 3836 wrote to memory of 3232 3836 Project 88399287990.exe 95 PID 3836 wrote to memory of 3232 3836 Project 88399287990.exe 95 PID 3836 wrote to memory of 372 3836 Project 88399287990.exe 96 PID 3836 wrote to memory of 372 3836 Project 88399287990.exe 96 PID 3836 wrote to memory of 372 3836 Project 88399287990.exe 96 PID 3836 wrote to memory of 372 3836 Project 88399287990.exe 96 PID 3836 wrote to memory of 372 3836 Project 88399287990.exe 96 PID 3836 wrote to memory of 372 3836 Project 88399287990.exe 96 PID 3436 wrote to memory of 3692 3436 Explorer.EXE 99 PID 3436 wrote to memory of 3692 3436 Explorer.EXE 99 PID 3436 wrote to memory of 3692 3436 Explorer.EXE 99 PID 3692 wrote to memory of 1988 3692 wlanext.exe 100 PID 3692 wrote to memory of 1988 3692 wlanext.exe 100 PID 3692 wrote to memory of 1988 3692 wlanext.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gIujDCSIo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1301.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3348
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gIujDCSIo.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3872
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5ecc9be98ce67f9854333bfc9b1122a98
SHA13c24d0d8b54f3872ef0f3e4be9433c3313d87431
SHA2566111dd7efd438620f646fe0b58f95007daed05dbefe811d2bc504cc19123cd56
SHA5124a886e7a094f17d49bf4e416625aee3c272feebde5656711b50af1755299d03dae74d16154408f71fb6dbb7befe0845e9503a27ade284dc66fcfc46aaf94fb3f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5b572672d695ff383df8a270a449b6ff4
SHA159bd49755765a96dcc66d0dd67f1fd69debfb1bf
SHA2568501ca411e1da73451e4773ed664701bda554ce85b53c853b16161932040f06a
SHA51250e1bd11070adc0bf2662618489313f1a80213b34867e0f941b6c0cc50ac8979dc5b0f7623077cb4d7713215f5b2cf869677ce3e7b0c226f6773b86faee68c5c