Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
Items for new project-6109.exe
Resource
win7-20241023-en
General
-
Target
Items for new project-6109.exe
-
Size
519KB
-
MD5
7b2b82719683d8edaf37ec6bd895976f
-
SHA1
bda795d0e7993179ab7606142ea445d9d73872e9
-
SHA256
f500da8f49bd849bb4f6aa7644458bc0473a47e8ce91a09df137906b429e2ee8
-
SHA512
79b9eea7f65ff9a0410842d1b09a5dd550c8573044d016adb1539f646b86c7212b436133f0b991f0e72c7b14a0f8b08f7df64dd938359953270979955e6625ba
-
SSDEEP
12288:LCZhz3tD005nQeOEPEbEiX4FuQWout8FVNLpA:LCZhjC0I2DJUQjFVN
Malware Config
Extracted
formbook
4.1
wk31
soroban.xyz
irfirstaid.com
irsaycollection.com
thebardownstairsasheville.com
facebookmeta.business
paypalsupportclient.com
metaversusfacebook.com
litakparuikamazon.com
rivianmotorcompany.com
metaversepro.us
ikramfamilypractice.com
bitcoinfuturesetfs.online
5donline.com
rosemount.us
nicole-steinfort.com
performanceautorepairsj.com
scrabblecheats.us
kjg67amazon.com
formerlyknownasfacebook.com
youtubeandgooglepay.online
alexaequipos.com
iboxmeta.com
metaverse-google.com
shadowinformedtherapist.com
com-ibb.co
blueapplesindia.com
globalsxports.com
myfirstxboxgame.com
irsaymuseum.net
alexanderbransoncommercial.com
akive.kr
facebooktometa.com
ko-bae.com
sunnyleoneporn.xyz
harborverse.com
metaversum.us
microsoftsingles.com
arcam.us
cannatomorrow.net
teslacarbattery.info
wellsfarrgorewards.com
rescuemefirstaid.com
blackdiamondwellingtonfl.com
solusvenator.com
managemylif.com
metafirstcoin.com
alexanderferency.com
mutfilms.com
fedex-express-parcels.com
wellnessfirst-pembroke.ca
authsecurre02.bid
meta-spacex.com
meta-nascar.com
stelladot.us
yaruky.xyz
bitfarms.xyz
airsoftmeta.com
firststepcenter.net
scottdunn.voyage
zenubium.us
healthplans2023.com
metamorphosisfacebook.com
facebooksecurity.cloud
sebaspfc.com
firstho.com
Signatures
-
Formbook family
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2884-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2884-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2884-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2688-28-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3008 set thread context of 2884 3008 Items for new project-6109.exe 34 PID 2884 set thread context of 1176 2884 Items for new project-6109.exe 21 PID 2884 set thread context of 1176 2884 Items for new project-6109.exe 21 PID 2688 set thread context of 1176 2688 svchost.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Items for new project-6109.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Items for new project-6109.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3008 Items for new project-6109.exe 3008 Items for new project-6109.exe 3008 Items for new project-6109.exe 3008 Items for new project-6109.exe 3008 Items for new project-6109.exe 3008 Items for new project-6109.exe 2884 Items for new project-6109.exe 2884 Items for new project-6109.exe 2884 Items for new project-6109.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2884 Items for new project-6109.exe 2884 Items for new project-6109.exe 2884 Items for new project-6109.exe 2884 Items for new project-6109.exe 2688 svchost.exe 2688 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3008 Items for new project-6109.exe Token: SeDebugPrivilege 2884 Items for new project-6109.exe Token: SeDebugPrivilege 2688 svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2808 3008 Items for new project-6109.exe 31 PID 3008 wrote to memory of 2808 3008 Items for new project-6109.exe 31 PID 3008 wrote to memory of 2808 3008 Items for new project-6109.exe 31 PID 3008 wrote to memory of 2808 3008 Items for new project-6109.exe 31 PID 3008 wrote to memory of 2864 3008 Items for new project-6109.exe 32 PID 3008 wrote to memory of 2864 3008 Items for new project-6109.exe 32 PID 3008 wrote to memory of 2864 3008 Items for new project-6109.exe 32 PID 3008 wrote to memory of 2864 3008 Items for new project-6109.exe 32 PID 3008 wrote to memory of 2868 3008 Items for new project-6109.exe 33 PID 3008 wrote to memory of 2868 3008 Items for new project-6109.exe 33 PID 3008 wrote to memory of 2868 3008 Items for new project-6109.exe 33 PID 3008 wrote to memory of 2868 3008 Items for new project-6109.exe 33 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 3008 wrote to memory of 2884 3008 Items for new project-6109.exe 34 PID 2884 wrote to memory of 2688 2884 Items for new project-6109.exe 35 PID 2884 wrote to memory of 2688 2884 Items for new project-6109.exe 35 PID 2884 wrote to memory of 2688 2884 Items for new project-6109.exe 35 PID 2884 wrote to memory of 2688 2884 Items for new project-6109.exe 35 PID 2688 wrote to memory of 2772 2688 svchost.exe 36 PID 2688 wrote to memory of 2772 2688 svchost.exe 36 PID 2688 wrote to memory of 2772 2688 svchost.exe 36 PID 2688 wrote to memory of 2772 2688 svchost.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"3⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"3⤵PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"3⤵PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"5⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2772
-
-
-
-