Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

AC885D6C38...13.exe

windows7-x64

10

AC885D6C38...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe

  • Size

    1.2MB

  • MD5

    2f9f420ce8696e4023df23d7fb12c87d

  • SHA1

    fe38bf7aca5900eafae8fc160d9237ee78fbacc3

  • SHA256

    ac885d6c380d9945dc8d2a7da3f9f11c8b4f5cca0694abb031d67009f8199213

  • SHA512

    8cb054cd64fac8ebfcf2c841e05f884303862901f6eb55b5b9c84adb64d225bc3537b2d6d35be4fdecff34ed025cdb821f17f3d2cbdea5875f027c2999bd351b

  • SSDEEP

    24576:eqDEvCTbMWu7rQYlBQcBiT6rprG8aWSl57vZtF9oRG3rP:eTvC/MTQYxsWR7aW4viGb

Score
10/10
formbookk94gdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k94g

Decoy

nstandgoz.xyz

dhd-treatment-37310.bond

13s-braces-us-ze.fun

umdona.shop

96ph803ql.bond

kka9max.net

corporate-10.xyz

edicalassistance869840.online

lobalresources-bh.xyz

3145978.xyz

ovdaawebsite.online

etting-thailand.net

icloud.xyz

poxk.shop

25ks-ls72510.cyou

women.info

iwyrfbfvhv9.asia

luratu.xyz

ffordable-power-charger.today

edanuryilmaz.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe
        "C:\Users\Admin\AppData\Local\Temp\AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2300
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1720
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:4172
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:940
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:1812

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1516-5-0x0000000003680000-0x0000000003684000-memory.dmp

              Filesize

              16KB

              Download

            • memory/2300-6-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/2300-7-0x0000000001B00000-0x0000000001E4A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2300-10-0x0000000001E70000-0x0000000001E84000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2300-9-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/2300-14-0x0000000001EE0000-0x0000000001EF4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2300-13-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/3500-11-0x0000000008680000-0x00000000087DD000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3500-15-0x00000000087E0000-0x0000000008987000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/3500-16-0x0000000008680000-0x00000000087DD000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3500-17-0x00000000087E0000-0x0000000008987000-memory.dmp

              Filesize

              1.7MB

              Download