Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
Pipeline operations equipment (Valves_Pipe Fittings).exe
Resource
win7-20240903-en
General
-
Target
Pipeline operations equipment (Valves_Pipe Fittings).exe
-
Size
877KB
-
MD5
3856ef031167c1b3a0e0a40674bd42f0
-
SHA1
728e44609c5a0852dabe23d019b5cf3b3f25f739
-
SHA256
b9e6760d4d04760b495e95fcda0eb6c070046617730c7066914563679cce68bd
-
SHA512
1f7e7fbf9c1f7704b9070522f12983736bfffd8fdc17e30059915308cd4568cbd7fc2bce388a79419bb67f83d6f25dcd02959a47c6c96b54867192d8ca919659
-
SSDEEP
12288:hRcaQxt8mvZ0ZbgDPwFVt2NjFFdqoeACbp9nJIx4bZovgff1R5vdP3xEBj2Kn23e:oxcb0wFVMNjlqgCdQYHdJAfGkTCNq
Malware Config
Extracted
formbook
4.1
chad
osiribodhisattva.com
e-ticaretdostu.com
integrocapitalllc.com
pasarbb.com
curavy.com
efcomportamento.com
twittertornado.com
siyhy.com
roamnext.com
hongduen.com
urbaanmarket.com
davidcavanaghreplays.com
comperhouse.com
ne-nerede.net
m365fordevs.com
structuredadvocates.com
withalldads.love
assanamusic.info
oshaberi-machiko.com
mollyellen.net
thickermovie.com
macocome.com
acmekorea.com
qtmkyxs.icu
mobusy.com
heraskiss.com
vibetonight.com
028036.com
transinta.com
alliwell.com
wat2shop.com
digitalcom100.com
grosbeakgardens.com
mariannehoefer-krey.com
kurashisumai.com
backstreetsconsultingllc.com
afcerd.com
y0byblak.com
rtsworthitcoffee.com
gathermix.com
poocheepaws.com
luanalumertz.com
basecampresponse.com
hospitalbox.asia
gregorywise.com
jimhankeylaw.com
arkadelphiachiropractic.com
thingah.com
trickcall.com
xpowercovidshield.com
loginctr.com
lockdownmillionaires.com
opalcreative.design
stockproductionmusic.services
tekscoop.com
oasismig.com
mikecarfizzi.com
bojankezadecu.com
mfibersystems.com
bibliolit.com
88c5f07d9678.info
spcmaroc.com
nightanddayfreightsystems.net
athena-sportech.com
ssgas-ia.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral2/memory/3388-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3388-18-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3724 set thread context of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3388 set thread context of 3528 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 56 PID 1724 set thread context of 3528 1724 mstsc.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipeline operations equipment (Valves_Pipe Fittings).exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe 1724 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe 1724 mstsc.exe 1724 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe Token: SeDebugPrivilege 3388 Pipeline operations equipment (Valves_Pipe Fittings).exe Token: SeDebugPrivilege 1724 mstsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3724 wrote to memory of 4976 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 101 PID 3724 wrote to memory of 4976 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 101 PID 3724 wrote to memory of 4976 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 101 PID 3724 wrote to memory of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3724 wrote to memory of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3724 wrote to memory of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3724 wrote to memory of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3724 wrote to memory of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3724 wrote to memory of 3388 3724 Pipeline operations equipment (Valves_Pipe Fittings).exe 102 PID 3528 wrote to memory of 1724 3528 Explorer.EXE 103 PID 3528 wrote to memory of 1724 3528 Explorer.EXE 103 PID 3528 wrote to memory of 1724 3528 Explorer.EXE 103 PID 1724 wrote to memory of 4716 1724 mstsc.exe 104 PID 1724 wrote to memory of 4716 1724 mstsc.exe 104 PID 1724 wrote to memory of 4716 1724 mstsc.exe 104
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"3⤵PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Pipeline operations equipment (Valves_Pipe Fittings).exe"3⤵
- System Location Discovery: System Language Discovery
PID:4716
-
-