Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

igfx.exe

windows7-x64

10

igfx.exe

windows10-2004-x64

10

iwszswbfva.exe

windows7-x64

10

iwszswbfva.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2024, 04:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    igfx.exe

  • Size

    411KB

  • MD5

    58af2905bb3afbf26a18d4dbff6af451

  • SHA1

    15b21c2753b658b90ae652d82dd2123daf5af305

  • SHA256

    c23c53452c3180e79ca639a79a2dc1ea8e3d8fbf4833e02e4ac02959dcfce486

  • SHA512

    1f2a73881b9950d2f2ce6ee57c75782fc30335a402c1d555fcd97082f7e43dc6d14fc584f5deb156d99421b036227748adecc9e42671e2baea382b68adcc9e79

  • SSDEEP

    6144:rweEDPVVGng08cErJGSovljhvXoFDkBTeI2+LJdSdMh4:o2tlgGxjhvqD43dSdi4

Score
10/10
formbookwh23discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\igfx.exe
        "C:\Users\Admin\AppData\Local\Temp\igfx.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Users\Admin\AppData\Local\Temp\iwszswbfva.exe
          "C:\Users\Admin\AppData\Local\Temp\iwszswbfva.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Users\Admin\AppData\Local\Temp\iwszswbfva.exe
            "C:\Users\Admin\AppData\Local\Temp\iwszswbfva.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\SysWOW64\cmstp.exe
              "C:\Windows\SysWOW64\cmstp.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2564
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Local\Temp\iwszswbfva.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\iwszswbfva.exe
      Filesize

      7KB

      MD5

      256173eb182e2853cbfa0590dfb0cb3a

      SHA1

      c8eadb0d069644a491368497e91d737e4dc41754

      SHA256

      15b35b8bd2d2e94f656e77a105e3ef99946b02c41d773d118ab0c64db578eb5d

      SHA512

      22e88b1ed25e5f8391497255a8bdc7ea1aef876f3f3c9547e334436d8f250c8cc5c45c344b79c7009d15c9556235086190bc2a3bfb637cd3eaa67824cea78af2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\thdyfjwld.ma
      Filesize

      185KB

      MD5

      4cad14a76a186d4cb6eed65b46cdb9a7

      SHA1

      13b14c663730e14ada3f47144399c7f4fc9ae664

      SHA256

      3292eadd21b9a72d96c9d31118c845a543dc7bcdb073f634cbb2f15e9fcc05d8

      SHA512

      87bb6f37570ce816c3519b8fca750b3137a40310f35c20c5ee08682cda6eb69ac85df0ddc9d5e1f0956202caf93990e0846d00ffc78cb97c1f85a1fc006a1f75

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vprrhkviti.bit
      Filesize

      5KB

      MD5

      3def4847de17afd854cb0a65b9d016a5

      SHA1

      0c62d8f3b6bdf84dc55f410135406fd506c8dee8

      SHA256

      40f78b65d517289aa1960c8a4fcd32381b850e2db4892fcfbbb601754c0b41a8

      SHA512

      f32dcbaa0643c501ec9124e7e1d98ed4644391119495296222a9501080977b622701a155522fefdaa0119bb969356830a7b98e66b2fd84da128f00a7f607bfb0

      Download Submit

    • memory/1364-23-0x00000000074B0000-0x0000000007605000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1364-21-0x00000000074B0000-0x0000000007605000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1364-30-0x0000000007610000-0x0000000007774000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1364-26-0x0000000007610000-0x0000000007774000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2200-14-0x0000000000100000-0x0000000000102000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2564-31-0x00000000000F0000-0x000000000011F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2564-27-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2564-29-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3032-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3032-24-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3032-25-0x00000000002D0000-0x00000000002E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3032-17-0x0000000000990000-0x0000000000C93000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/3032-19-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3032-20-0x0000000000180000-0x0000000000194000-memory.dmp

      Filesize

      80KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.