Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:43 UTC
Static task
static1
Behavioral task
behavioral1
Sample
8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe
Resource
win7-20240708-en
General
-
Target
8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe
-
Size
599KB
-
MD5
92592b4ed9b80ddab77d8e19d2ea120e
-
SHA1
aae8fdb85bbf71c66d6001be2302018f97ea3375
-
SHA256
8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00
-
SHA512
3e6a4ec71c2ce0d2989325f09db6c9189c8eca95af9ea1bb749436f79826afe5a12df2fe6aa2bc2cc6b02fe91fcb230b9cdb73ff0ac8ecff4c92e910bfcb3352
-
SSDEEP
12288:07Io/7u4UlyVVKhl3tpBuivKhwtfgfRFmFeytYY2j3ga0gvV:07T7cWm9pBqQfScFeUYY2jwa0
Malware Config
Extracted
formbook
4.1
dfc
photographytune.com
oleandrinbotanical.com
hibcapital.com
katgermosen.com
careerwomensgol.com
oliverezechi.net
hrbhrt.com
codeopulence.com
merrilllynchph.com
globallionsco.com
cutass.com
sarahalhashemi.com
izzyandi.com
snacklabbet.com
manufaktura-uyuta.online
powayvotes.net
helpspine.com
arlto.info
sofakingwet.com
cretanhandcarving.com
inspirationslines.com
testandtagauckland.site
chelsescompass.com
affordableplumbing.services
valencn.com
cyber1derer.design
rajitirir.icu
solepairllc.com
v3purehealth.com
yeaptech.online
zhadzc.com
carrcommercialcleaningsvc.com
sanfranciscord.com
oralie.club
xn--marlimone-boutique-jwb.com
founderfever.com
veradreamsofthesea.com
drewbaba.com
vet-planet.com
artsuite.net
lighthousebait.com
buy-acrylic-paintings-art.com
getfinched.com
infinixinfo.com
xjyanyuan.com
xaoikevesesede.com
mobility-personalberatung.com
agelishi.com
creditresolutiongroup.com
cooperationnitrogen.life
thetwinsday.com
eltallerdelinge.com
sisportaldeadesao2020.com
yidaicelue.com
mystrongart.com
edwardreid.net
zoeyrosen.com
ghesreji.icu
canopyhealthphysiciansgroup.com
universolofi.com
comtacti.com
park432.com
marbbo.com
220hartstene.com
damcol.info
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2680-5-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2680-9-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1900 set thread context of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 2680 set thread context of 1232 2680 RegAsm.exe 21 PID 2676 set thread context of 1232 2676 mstsc.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstsc.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2680 RegAsm.exe 2680 RegAsm.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe 2676 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 2680 RegAsm.exe 2680 RegAsm.exe 2680 RegAsm.exe 2676 mstsc.exe 2676 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2680 RegAsm.exe Token: SeDebugPrivilege 2676 mstsc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1900 wrote to memory of 2680 1900 8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe 30 PID 1232 wrote to memory of 2676 1232 Explorer.EXE 31 PID 1232 wrote to memory of 2676 1232 Explorer.EXE 31 PID 1232 wrote to memory of 2676 1232 Explorer.EXE 31 PID 1232 wrote to memory of 2676 1232 Explorer.EXE 31 PID 2676 wrote to memory of 2772 2676 mstsc.exe 32 PID 2676 wrote to memory of 2772 2676 mstsc.exe 32 PID 2676 wrote to memory of 2772 2676 mstsc.exe 32 PID 2676 wrote to memory of 2772 2676 mstsc.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe"C:\Users\Admin\AppData\Local\Temp\8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-