Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/12/2024, 06:38
General
-
Target
Ministry of Health Kingdom of Bahrain.exe
-
Size
358KB
-
MD5
e1a110c51c33c12ee53679c40c954395
-
SHA1
361ca3b8600138c93a6cb8728ddefd7bb1be53ef
-
SHA256
ad4c2025f6a3741ba965e53a40e907b04dd1031c666e80d98afe6fd00c70239d
-
SHA512
8572c6c49eca57c0a89523df94c73eb65617687c4e89045633eeafb05f2844f6c14df7ef0e61fa05a1cae39d5fa664d8e206c6cccadcacc03d749a9b0caefdfb
-
SSDEEP
6144:l2rbJsMkhBseyKyjTzBfRARSBPu6aNpSc68iHGrGSD/7o8aIm2eW8ggs:liSBseyxjT9yRSJaNpriH5SL7BaXO
Malware Config
Extracted
formbook
4.1
ey5a
lygptkl.com
winsentrade.com
bluprintliving.com
yumohealth.com
cherryadulttoys.com
gianttigar.com
maxhutmacher.net
autostokyocorp.com
calvaryload.com
stixxiepix.com
j98152.com
starsky666.xyz
loadkicks.com
designauraspace.com
wwwfmcna.com
mikakonaitopsychologist.com
kristalsuaritma.com
kh180.com
kulturel.net
araveenapark.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 4 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
820KB
-
Filesize
1.2MB
-
Filesize
820KB
-
Filesize
1.2MB
-
Filesize
3.0MB
-
Filesize
188KB
-
Filesize
84KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
352KB
-
Filesize
40KB
-
Filesize
6.9MB
-
Filesize
384KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
188KB