Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe
Resource
win7-20240903-en
General
-
Target
4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe
-
Size
1.0MB
-
MD5
7219e991b1a4822c91639c242baed0fe
-
SHA1
b30d7f1a38efe698d5a94fa9c70b6e3f21f8439c
-
SHA256
4c29ecf0655519c8700f3392a1c2c962b523e9de0d34190b7d85e6c35d731bf2
-
SHA512
330a786b1a7ecaf849761ff9f1b9959e0b572bf7efc7328dc048b9b5cb8b7342f0f1d7fad2a97fe4f25204cb21a218271f7128202f44189bae18865d32f02e87
-
SSDEEP
24576:YAHnh+eWsN3skA4RV1Hom2KXMmHaMid+s8N5:fh+ZkldoPK8YaM3H
Malware Config
Extracted
formbook
4.1
as02
qwin777.com
robinhoods.live
h3jh-dal.pics
braindeadcopywriting.com
kktcbet1000.com
mpo0463.cfd
raboteshoes.com
ab1718.com
lowcrusiers.com
gregcopelandmusic.com
dkfndch.store
firstclassuni.com
00ewu1ub.com
shunweichemical.com
sugarits.com
marqify.com
mistmajik.com
trezip.online
tinytables.xyz
suestergocoaching.com
dominoad.com
specials.website
thatpilatesgirl.com
vrexpressok.com
sdegtho.com
svhomesinspections.com
rumbol88.com
dzplricfpf.com
fastcoolify.com
bloominginwholeness.com
12ser3.com
curtsreno.com
defx.ventures
dev-patel.xyz
ltyidc.com
wheiunudweowuqiwuebfyewui3.com
039c5m2ciwt99.top
pmpm.xyz
akabuka.net
parkerslandscapingllc.com
hamcast.com
jiangcapable.site
sassysensoryclips.com
arsalan.shop
thecryptocaviar.com
ofbsconsulting.com
j8j3e.cfd
cinexgltd.com
justcallnadia.com
qcyiran.com
uniseekglobal.com
milieunightclub.com
sisasimoslot.com
svizzblem.net
20644.asia
shroomberparty.com
contractcrafters.net
selectstylehome.shop
blackhillspr.com
topsolutionquality.online
diywithbje.com
simplywellcoach.com
popothebear.site
entendiendomedicare.com
sopaindam.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/3052-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3052-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4716-20-0x0000000000620000-0x000000000064F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3192 set thread context of 3052 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 83 PID 3052 set thread context of 3540 3052 svchost.exe 56 PID 4716 set thread context of 3540 4716 rundll32.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe 4716 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 4716 rundll32.exe 4716 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3052 svchost.exe Token: SeDebugPrivilege 4716 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3192 wrote to memory of 3052 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 83 PID 3192 wrote to memory of 3052 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 83 PID 3192 wrote to memory of 3052 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 83 PID 3192 wrote to memory of 3052 3192 4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe 83 PID 3540 wrote to memory of 4716 3540 Explorer.EXE 84 PID 3540 wrote to memory of 4716 3540 Explorer.EXE 84 PID 3540 wrote to memory of 4716 3540 Explorer.EXE 84 PID 4716 wrote to memory of 3120 4716 rundll32.exe 86 PID 4716 wrote to memory of 3120 4716 rundll32.exe 86 PID 4716 wrote to memory of 3120 4716 rundll32.exe 86
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe"C:\Users\Admin\AppData\Local\Temp\4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\4C29ECF0655519C8700F3392A1C2C962B523E9DE0D34190B7D85E6C35D731BF2.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3120
-
-