Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8649b814fa...00.exe

windows7-x64

10

8649b814fa...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2024, 22:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe

  • Size

    599KB

  • MD5

    92592b4ed9b80ddab77d8e19d2ea120e

  • SHA1

    aae8fdb85bbf71c66d6001be2302018f97ea3375

  • SHA256

    8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00

  • SHA512

    3e6a4ec71c2ce0d2989325f09db6c9189c8eca95af9ea1bb749436f79826afe5a12df2fe6aa2bc2cc6b02fe91fcb230b9cdb73ff0ac8ecff4c92e910bfcb3352

  • SSDEEP

    12288:07Io/7u4UlyVVKhl3tpBuivKhwtfgfRFmFeytYY2j3ga0gvV:07T7cWm9pBqQfScFeUYY2jwa0

Score
10/10
formbookdfcdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dfc

Decoy

photographytune.com

oleandrinbotanical.com

hibcapital.com

katgermosen.com

careerwomensgol.com

oliverezechi.net

hrbhrt.com

codeopulence.com

merrilllynchph.com

globallionsco.com

cutass.com

sarahalhashemi.com

izzyandi.com

snacklabbet.com

manufaktura-uyuta.online

powayvotes.net

helpspine.com

arlto.info

sofakingwet.com

cretanhandcarving.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe
      "C:\Users\Admin\AppData\Local\Temp\8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1232-11-0x0000000002FF0000-0x00000000030F0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1232-15-0x0000000004A60000-0x0000000004B27000-memory.dmp

    Filesize

    796KB

    Download

  • memory/1232-12-0x0000000004A60000-0x0000000004B27000-memory.dmp

    Filesize

    796KB

    Download

  • memory/1900-6-0x0000000074750000-0x0000000074E3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1900-4-0x0000000074750000-0x0000000074E3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1900-0-0x000000007475E000-0x000000007475F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1900-3-0x0000000000BB0000-0x0000000000BEA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1900-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1900-1-0x0000000000FD0000-0x000000000106C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2676-13-0x0000000000C40000-0x0000000000D44000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2676-14-0x0000000000C40000-0x0000000000D44000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2680-5-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2680-7-0x00000000025C0000-0x00000000028C3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2680-10-0x00000000007F0000-0x0000000000804000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2680-9-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.