Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/12/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
faktura,pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
faktura,pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
lejdjsong.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
lejdjsong.exe
Resource
win10v2004-20241007-en
General
-
Target
faktura,pdf.exe
-
Size
484KB
-
MD5
0c2779d8b1c98fee81f0e5f0f47b1076
-
SHA1
5dc8b937c91d42bfb4870970a85d6b415e208aba
-
SHA256
02928b2d3818c82f6b0cd4d1c69a5717b36d56a6ede9e8b6e6dfad55d9165406
-
SHA512
4a60973ec7ea718fb5d562d030876987fb5006c9a1f0a2241dc7aca1800c0c386aed3be4e651f7aa158ccf4d133ee7e8f0de4f608f0f1a7577ed9e4ca9fcbc3b
-
SSDEEP
6144:eNeZkjUUpNggUZvLl6SpvAkfcxMLiEVCN4WQBWkNtU:eNAi5UFLl6SpvAkfcx4iEVRWQrNtU
Malware Config
Extracted
formbook
nob2
en+O8QOx9zDZZo6B
4OtleJKQETLZZo6B
xGU74u2nB/TAvy6QCqHWGzhs5rjgJKkH8Q==
Hq3a8RPSF4BJjsCnvBuPXSngiQ==
Ca1w6R7ZEzrZZo6B
V3N7ImFtXIccbqg=
jkdEFrI4Bjj/
rGXE4vP2e7leaO0+Mw==
mFACnMuCTkL+R3Fh+5rYDQ==
k1R/bHxIDwfQHVtMUnukJu3OiA==
Goa71OKQKE9ALQ==
TUVlDTovqKZqfHiwJHaK
VBnCLD8NiCkMIw==
fIbQ7Joi+SgIi/y6E7P5RoPjihFL
UTcvz+rs7OfK+DARp/kwBpv6Jq7TVgs=
rF084AkQIlQmdZwZOg==
6eJWgNCEuf3EAbCxkXiM
JcyQCi86x+3MC8IYjvN0uyjYjg==
S+8thMWBzyTZZo6B
5dDUXJSODfnS/DkyX8Nobh0=
QzE0kgvEkfjJxTGhvsXC0bmBAq7TVgs=
SvGiFDzvQ5VcXWllI3jDCWea
Ex2x0uXbeLCABYvxJw==
Z30INXN68/fPuxyGBX+kJu3OiA==
o1GLrObS0wbIwj+lyCekaxc=
1pNxF0wC1EAR/HTfFGRkZ1U7Qc83ZA==
//F7o9uV5kMsRUARgI14C3rjihFL
x4g54i3bGj7ZZo6B
eXbh/UD+P3ZRZlcnk52DCXXjihFL
45k/3hQOj4FvigaF6b7gGQ==
B/zuidaOS4lSYOddlOTaJu3OiA==
sGRG/0oK20MjGosLNVxz8s27gg==
3J0AWM8U1Fw7U9Y4Mg==
k25qBXEtP3hioh+/qkY=
msuCZooQAPzx
I9T86w+xAgj0ThGCqdTYJu3OiA==
5bfgjq9pJHxNnUTBdR7DCWea
MA3LZqWYM4xkzk4b1XDbKpbYnw==
0JHq2t7kg+W2tZ56HDs+8s27gg==
YzjWe7xxO6RxmI91LHvDCWea
Ed2wYY99DB79PW3nIw==
hy0n2/bx+h77Om9jhtfaJu3OiA==
RyqxprS9TYJnwDvI3FE=
Eie65SLOEWInIAP3puEH0cQCal8=
5cM5KllSUVU+mB+/qkY=
fx3jWq809wrm
DBYgi6qNLZZrvAYUTGuA
MT8E6CM0JQ3c5OHHvyekaxc=
QPzglcfRzcempTeB8YCxJu3OiA==
iiNpWoRq/F8KV4eD
zc43KEkBzsZwtLSYO9oGTofTgh9S
eIgMM3Ql+Ni429L4W5KX
qdsdfCm2rEwrMA==
1J37JFM5QoJZduZBxtPrGQA=
Guf/odWc6fLOHtMePmNZZ2JAQc83ZA==
fDfjTG4UWKZyoF2j6b7gGQ==
CQR0odvibYFQeHuwJHaK
iW2CKi70M4lohoF1fsXU08QCal8=
4cMCASYeFz0WPrYUiCPDCWea
EQLzneCWSY0dhdSW
di2DnryxNqpIdXRxfsXU08QCal8=
ybIwVoc5fb6MmaKpUHx/CXXjihFL
VBFoZXYqad3Mz66yzCekaxc=
Arnp2/y0d8iXguxwqsWpu8CHAq7TVgs=
futurelightiq.com
Signatures
-
Formbook family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation lejdjsong.exe -
Executes dropped EXE 1 IoCs
pid Process 2536 lejdjsong.exe -
Loads dropped DLL 3 IoCs
pid Process 2400 faktura,pdf.exe 2536 lejdjsong.exe 2112 lejdjsong.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2536 set thread context of 2112 2536 lejdjsong.exe 31 PID 2112 set thread context of 1156 2112 lejdjsong.exe 20 PID 2460 set thread context of 1156 2460 wscript.exe 20 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lejdjsong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language faktura,pdf.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2112 lejdjsong.exe 2112 lejdjsong.exe 2112 lejdjsong.exe 2112 lejdjsong.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe 2460 wscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2112 lejdjsong.exe 2112 lejdjsong.exe 2112 lejdjsong.exe 2460 wscript.exe 2460 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 lejdjsong.exe Token: SeDebugPrivilege 2460 wscript.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2536 2400 faktura,pdf.exe 30 PID 2400 wrote to memory of 2536 2400 faktura,pdf.exe 30 PID 2400 wrote to memory of 2536 2400 faktura,pdf.exe 30 PID 2400 wrote to memory of 2536 2400 faktura,pdf.exe 30 PID 2536 wrote to memory of 2112 2536 lejdjsong.exe 31 PID 2536 wrote to memory of 2112 2536 lejdjsong.exe 31 PID 2536 wrote to memory of 2112 2536 lejdjsong.exe 31 PID 2536 wrote to memory of 2112 2536 lejdjsong.exe 31 PID 2536 wrote to memory of 2112 2536 lejdjsong.exe 31 PID 1156 wrote to memory of 2460 1156 Explorer.EXE 32 PID 1156 wrote to memory of 2460 1156 Explorer.EXE 32 PID 1156 wrote to memory of 2460 1156 Explorer.EXE 32 PID 1156 wrote to memory of 2460 1156 Explorer.EXE 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\faktura,pdf.exe"C:\Users\Admin\AppData\Local\Temp\faktura,pdf.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\lejdjsong.exe"C:\Users\Admin\AppData\Local\Temp\lejdjsong.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\lejdjsong.exe"C:\Users\Admin\AppData\Local\Temp\lejdjsong.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD5591d6e5750339bb3848fd5abc97311f0
SHA1d688280ea879a1a309f72fede33f6695ec5ed105
SHA256b778488ba471b2edfc808c5e4d55e4e0221d7ca23100c6cf563177db8f9b5fc8
SHA51281dc6568ea3b278aa320f04b651b2b9b100e891eb8ecca21c6685031865ff6a3a0129c2a28acc5f7ddc2997db4db12ead12bcca89a786f9c402e799a4eea3ae6
-
Filesize
4KB
MD5d2a837454edcdf54d22d808482386ba7
SHA1f8483cba5522ead7d1b557914ff3c411fc4df541
SHA2562ba5c60045c398ebd1e59e2225250b8f09536e4a4ba4eec26186a68fb9574a0a
SHA5124078b008e9a7dce2e4938936bef3bcb3262d29f1ffbc45fed75093cb742b6ed7c2de0c98f83d3db0289d6b9a02a28a115b44aeb28a258d95e18236b230cf17d3
-
Filesize
73KB
MD586a148c54d7a5ee49386393a7bd64e75
SHA13bcd7adf68d28514c0d362964bf4ac1e067bda6f
SHA2567cc777f463f00d5389c55fe6cc7904b427efd52ab0b2e932ddd1210d6c0eedb6
SHA512214f5530b2adc519243cd0c10af2987275988b45e1050f147391ece49c3ab2ae3ec4dff4f79598a6f9061ae4d70fbc78334d4a1ae2e863ab92628e0b4beb00fb