Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe
Resource
win7-20241010-en
General
-
Target
AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe
-
Size
1.2MB
-
MD5
2f9f420ce8696e4023df23d7fb12c87d
-
SHA1
fe38bf7aca5900eafae8fc160d9237ee78fbacc3
-
SHA256
ac885d6c380d9945dc8d2a7da3f9f11c8b4f5cca0694abb031d67009f8199213
-
SHA512
8cb054cd64fac8ebfcf2c841e05f884303862901f6eb55b5b9c84adb64d225bc3537b2d6d35be4fdecff34ed025cdb821f17f3d2cbdea5875f027c2999bd351b
-
SSDEEP
24576:eqDEvCTbMWu7rQYlBQcBiT6rprG8aWSl57vZtF9oRG3rP:eTvC/MTQYxsWR7aW4viGb
Malware Config
Extracted
formbook
4.1
k94g
nstandgoz.xyz
dhd-treatment-37310.bond
13s-braces-us-ze.fun
umdona.shop
96ph803ql.bond
kka9max.net
corporate-10.xyz
edicalassistance869840.online
lobalresources-bh.xyz
3145978.xyz
ovdaawebsite.online
etting-thailand.net
icloud.xyz
poxk.shop
25ks-ls72510.cyou
women.info
iwyrfbfvhv9.asia
luratu.xyz
ffordable-power-charger.today
edanuryilmaz.xyz
spsbcu.info
kidaman12.click
uringx.top
tockportflat.earth
efafi.fun
alamfestival.online
3mg.pro
epression-treatment-61078.bond
uvs-in-au.today
adeinindonesia.shop
antarcim.xyz
taffguest.net
ystoresc.top
andtools-ml-us.xyz
uoldid.shop
yougouafive.sbs
bitdadenetim.xyz
osmetologysschool7.today
appyeveryday.shop
oof-replacement-38157.bond
ominic-paaaa.buzz
olar-panel-jobs-81246.bond
emlockgolfcourse.shop
tdljo.shop
heoryinteractive.net
lasscraftdesigns.lol
j2i.xyz
itchen-deals-94653.bond
amuel-saaad.buzz
ennettsassociates.net
lectriciansnearme.ltd
yler-paaae.buzz
ruises-67637.bond
lickshopper.shop
louddriver.xyz
ental-bridges-86496.bond
uturemedia.live
48312354.top
ome-loans-16952.bond
anteng777.info
ugold-ss2.net
hmyphoto.click
70872.club
lossqdetailing.net
octurnalaurora.buzz
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/2300-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2300-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2300-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1516 set thread context of 2300 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 82 PID 2300 set thread context of 3500 2300 svchost.exe 56 PID 2300 set thread context of 3500 2300 svchost.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2300 svchost.exe 2300 svchost.exe 2300 svchost.exe 2300 svchost.exe 2300 svchost.exe 2300 svchost.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 2300 svchost.exe 2300 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2300 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2300 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 82 PID 1516 wrote to memory of 2300 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 82 PID 1516 wrote to memory of 2300 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 82 PID 1516 wrote to memory of 2300 1516 AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe"C:\Users\Admin\AppData\Local\Temp\AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\AC885D6C380D9945DC8D2A7DA3F9F11C8B4F5CCA0694ABB031D67009F8199213.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1720
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:4172
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:940
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1812
-