Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 05:11
Static task
static1
Behavioral task
behavioral1
Sample
de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe
Resource
win7-20240708-en
General
-
Target
de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe
-
Size
764KB
-
MD5
ec3b64c231f48d3ea93f9879085b8f6f
-
SHA1
8c1c69f9c751ba62781d2a79b708fb6f90b2ca6a
-
SHA256
de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379
-
SHA512
d7b2283a9a0740e51ccfb281fe81308973754720b4a5f8d13e085029499e18b6ccd342c81737968260a347894457dad873fc5e1d2493e74550f87bf34f96bb00
-
SSDEEP
12288:Pox9A7nAvUFEHUNme8k9vf9d0Z7OXW/cC4Ff75wyk9h5BhvnYjp5wylG:o9SAvUq6m5mqZWWP4hdwyWh5BhvnYjpI
Malware Config
Extracted
formbook
4.1
cr35
tahirsoemantrigroup.com
hashtagstartup.net
guron.biz
donwalin.com
aslanrefinedhomes.com
quitrobo.com
transcriptionservicesindia.com
mooremedications.com
mahounoniwa.com
lowpricepath.com
xinmanxin.com
maliya-interiors.com
rkprops.com
functionsandfoundations.com
thelenditudenews.com
streetlogic.biz
itaste.xyz
protokolavukatlik.com
reformasmende.com
noahsicecream.com
medtize.com
transportmetspoed.com
nnaa807.com
sorialab12.online
fuckingmyself.com
sagapolimer.com
e5-construction.com
bitracks56.com
noonautica.info
ijournaltnpasumo5.xyz
anyoneh.com
officesetupofficesetup.com
biurowe.online
hackensackbarber.com
changeproduct.store
drayeshaafzal.com
niasara.com
magstyletravelingllc.com
ottowagnergruende.wien
quinube.online
bestprodutos.com
qualitybilisim.com
fornecedoresbr.online
hugsforbubbs.com
studiosagesalon.com
jonathanandlola.info
potcreekfarms.com
digitalpravin.online
zerogamesober.com
hghbj.com
vnpmhs.com
publicdefenderprivacy.com
520kouzi.com
atomicpropertiescarrboro.com
schemesoliddrug.xyz
dermocosmethicbio.com
aokmangearbox.com
subconsciousgod.com
storiedpklnfo.xyz
qabooscapitalgroups.com
frjrbfkfncifnsnqwnxbcbckfi.com
mey.agency
wsfilmes.website
ankaraotelescort.xyz
tllyou.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2752-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2096 set thread context of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 2752 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31 PID 2096 wrote to memory of 2752 2096 de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe"C:\Users\Admin\AppData\Local\Temp\de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe"C:\Users\Admin\AppData\Local\Temp\de475f6f80edfef837511633dc86a0115456c42a8c8469a0a8e304dc7dc17379.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752
-