Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
doc06520720220131121555,pdf.exe
Resource
win7-20240903-en
General
-
Target
doc06520720220131121555,pdf.exe
-
Size
1.1MB
-
MD5
b274a8db1f2759a5633feda3ebb76e99
-
SHA1
bb145758eee0923a3b5fef02c300fe631855bbb6
-
SHA256
cbf712334783e060e67ba77d675a7402efa44b879aeed5b56fdbe9f2b01ee99c
-
SHA512
8b070b4686d60f7cb26e77451975bc1cade564def98b92077db90b6202a2439857e9df95fadf39064e717acad6fb64dc0065b1f0e4ea9d126f223fb7ac0b3471
-
SSDEEP
24576:eYhos91WO8ZCh9/9D/bLWLcygotSl2G6PrOTg0cm+pS8Yx:7hos91N7h9/9bbLWrdSl2G6PrOTg0cmh
Malware Config
Extracted
formbook
4.1
ch24
tmicp.com
lauriceiker.quest
neighbor-works.com
santiemprenderich.wiki
thecraftytxdogmom.com
abramolfactory.com
prettylittlesoles.com
thistimeandilove.space
imperialshaving.com
aflorideallgarden.com
thbfjs.com
marketmove.info
echocoins.com
ztkzw.com
sandyhookfishandribhouse.com
gamesxfr.com
frontline500.com
cbburrnet.com
boliviaoferta.com
jdzmklc.com
talishvestnik.store
nwnnv.com
knuckleheadreviews.com
fashionfanfic.com
hammersquad.site
rccad.cloud
industry4.fans
megawatchesplace.com
mkihm.com
ibets.xyz
cursosviirtuales.com
megaprohousess.club
nuevavidafh.com
eliteconfidence.sbs
stsywang.com
uw-kaartdienst.icu
siamnotes.com
justanitaliangirl.com
emaxpy.xyz
brdightstar.com
smartnftbuy.com
theyardwarehouse.com
theecocup.com
maxhomecares.com
60minutestocash.com
pitbullwallet.com
burgerkinghous.com
selfrepayingmortgage.com
forumsfactoryworker.com
jjtv.xyz
lapmangfpt5g.com
ypeakwellness.online
cialispill.quest
cocoonlasvegas.com
troppklaus.quest
yusratouma.xyz
olegknig.quest
6l928r-upps.club
trangphucdoanhnhan.com
dermacares74.com
tintarellawine.com
taammu.com
changhaiquan.com
jakobtanenhaus.com
opticonlms.com
Signatures
-
Formbook family
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4888-8-0x0000000000400000-0x0000000000459000-memory.dmp formbook behavioral2/memory/4888-11-0x0000000000400000-0x0000000000459000-memory.dmp formbook behavioral2/memory/4888-18-0x0000000000400000-0x0000000000459000-memory.dmp formbook behavioral2/memory/4384-25-0x0000000000D90000-0x0000000000DBF000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions doc06520720220131121555,pdf.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools doc06520720220131121555,pdf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion doc06520720220131121555,pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion doc06520720220131121555,pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum doc06520720220131121555,pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 doc06520720220131121555,pdf.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2916 set thread context of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 4888 set thread context of 3452 4888 TpmTool.exe 56 PID 4888 set thread context of 3452 4888 TpmTool.exe 56 PID 4384 set thread context of 3452 4384 msdt.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doc06520720220131121555,pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TpmTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 4888 TpmTool.exe 4888 TpmTool.exe 4888 TpmTool.exe 4888 TpmTool.exe 2916 doc06520720220131121555,pdf.exe 2916 doc06520720220131121555,pdf.exe 4888 TpmTool.exe 4888 TpmTool.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe 4384 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4888 TpmTool.exe 4888 TpmTool.exe 4888 TpmTool.exe 4888 TpmTool.exe 4384 msdt.exe 4384 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2916 doc06520720220131121555,pdf.exe Token: SeDebugPrivilege 4888 TpmTool.exe Token: SeDebugPrivilege 4384 msdt.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2916 wrote to memory of 4280 2916 doc06520720220131121555,pdf.exe 86 PID 2916 wrote to memory of 4280 2916 doc06520720220131121555,pdf.exe 86 PID 2916 wrote to memory of 4280 2916 doc06520720220131121555,pdf.exe 86 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 2916 wrote to memory of 4888 2916 doc06520720220131121555,pdf.exe 87 PID 3452 wrote to memory of 4384 3452 Explorer.EXE 89 PID 3452 wrote to memory of 4384 3452 Explorer.EXE 89 PID 3452 wrote to memory of 4384 3452 Explorer.EXE 89 PID 4384 wrote to memory of 2912 4384 msdt.exe 90 PID 4384 wrote to memory of 2912 4384 msdt.exe 90 PID 4384 wrote to memory of 2912 4384 msdt.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\doc06520720220131121555,pdf.exe"C:\Users\Admin\AppData\Local\Temp\doc06520720220131121555,pdf.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\iexpress.exe"C:\Windows\SysWOW64\iexpress.exe"3⤵PID:4280
-
-
C:\Windows\SysWOW64\TpmTool.exe"C:\Windows\SysWOW64\TpmTool.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\TpmTool.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-