Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 09:04
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCS.exe
Resource
win7-20240903-en
General
-
Target
SHIPPING DOCS.exe
-
Size
722KB
-
MD5
8a53a0551259a54c9503f4cf29a67821
-
SHA1
edcb94850e63d424604029edf6c720b9d1d6e8df
-
SHA256
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
-
SHA512
3518a786a8947051a55914d12b564c5fdaebe3167b4b34b72ae7dc855cba781fe72743e505367c1e0e566d0dc26822b020bec9b8fa4d4426749da9b059d2ff1f
-
SSDEEP
12288:/b1PloJNhQ/cWS7stv2EJ7yYqMSKlaU7/IYV51GMER0eTRpqbMLWuRsQsAAHO/:ZiJN+UVsDhyYWKlh0So0IpqwLWueQspu
Malware Config
Extracted
formbook
4.1
a03d
nfluencer-marketing-13524.bond
cebepu.info
lphatechblog.xyz
haoyun.website
itiz.xyz
orld-visa-center.online
si.art
alata.xyz
mmarketing.xyz
elnqdjc.shop
ensentoto.cloud
voyagu.info
onvert.today
1fuli9902.shop
otelhafnia.info
rumpchiefofstaff.store
urvivalflashlights.shop
0090.pizza
ings-hu-13.today
oliticalpatriot.net
5970.pizza
arimatch-in.legal
eepvid.xyz
bfootball.net
otorcycle-loans-19502.bond
nline-advertising-34790.bond
behm.info
aportsystems.store
agiararoma.net
agfov4u.xyz
9769.mobi
ome-renovation-86342.bond
kkkk.shop
duxrib.xyz
xurobo.info
leurdivin.online
ive-neurozoom.store
ndogaming.online
dj1.lat
yselection.xyz
52628.xyz
lsaadmart.store
oftware-download-92806.bond
avid-hildebrand.info
orashrine.store
erpangina-treatment-views.sbs
ategorie-polecane-831.buzz
oonlightshadow.shop
istromarmitaria.online
gmgslzdc.sbs
asglobalaz.shop
locarry.store
eleefmestreech.online
inggraphic.pro
atidiri.fun
olourclubbet.shop
eatbox.store
romatografia.online
encortex.beauty
8oosnny.xyz
72266.vip
aja168e.live
fath.shop
argloscaremedia.info
enelog.xyz
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/1940-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1940-27-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1804-29-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1792 powershell.exe 2764 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2248 set thread context of 1940 2248 SHIPPING DOCS.exe 37 PID 1940 set thread context of 1216 1940 RegSvcs.exe 21 PID 1940 set thread context of 1216 1940 RegSvcs.exe 21 PID 1804 set thread context of 1216 1804 chkdsk.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SHIPPING DOCS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chkdsk.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2248 SHIPPING DOCS.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2248 SHIPPING DOCS.exe 2764 powershell.exe 2248 SHIPPING DOCS.exe 1940 RegSvcs.exe 1792 powershell.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe 1804 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1804 chkdsk.exe 1804 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2248 SHIPPING DOCS.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1940 RegSvcs.exe Token: SeDebugPrivilege 1804 chkdsk.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1792 2248 SHIPPING DOCS.exe 31 PID 2248 wrote to memory of 1792 2248 SHIPPING DOCS.exe 31 PID 2248 wrote to memory of 1792 2248 SHIPPING DOCS.exe 31 PID 2248 wrote to memory of 1792 2248 SHIPPING DOCS.exe 31 PID 2248 wrote to memory of 2764 2248 SHIPPING DOCS.exe 33 PID 2248 wrote to memory of 2764 2248 SHIPPING DOCS.exe 33 PID 2248 wrote to memory of 2764 2248 SHIPPING DOCS.exe 33 PID 2248 wrote to memory of 2764 2248 SHIPPING DOCS.exe 33 PID 2248 wrote to memory of 2836 2248 SHIPPING DOCS.exe 35 PID 2248 wrote to memory of 2836 2248 SHIPPING DOCS.exe 35 PID 2248 wrote to memory of 2836 2248 SHIPPING DOCS.exe 35 PID 2248 wrote to memory of 2836 2248 SHIPPING DOCS.exe 35 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 2248 wrote to memory of 1940 2248 SHIPPING DOCS.exe 37 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 38 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 38 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 38 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 38 PID 1804 wrote to memory of 2792 1804 chkdsk.exe 39 PID 1804 wrote to memory of 2792 1804 chkdsk.exe 39 PID 1804 wrote to memory of 2792 1804 chkdsk.exe 39 PID 1804 wrote to memory of 2792 1804 chkdsk.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HcXqyZTglEDQeU.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HcXqyZTglEDQeU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A16.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed45e7b39a149b39187b674380777bbc
SHA1c4a4217bec1ba7b43fe4545c1441b65a7d43f03d
SHA256a7c88824d3d4cf7c3782b0897efced3a678dbc16a193d8245914d7875572e303
SHA512b2d529de5dbe6d084809aa90b3b2991f09c322e7690da26200a60804929afc8c4ce8ab61b0bbd5e16c59eed0148b3bd3b25cb5987ac07b357af6a2ee61074640
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57c6ca53d2bbdfeb0ceef4d13256b385b
SHA1b6e89627133f07069c998b4527868be5555c6f2d
SHA2562cd084f97abb8c75e36a863cc828457cf4a76982cb51562cac9cc112ccedd1cb
SHA5120219f05ae74864ca0b72af3473c20e3ad88ab6fae132ab1d2735991b464ed424c2286faeccaa72083c517dbacf3cb66805052996f97aa65f71a997c94ed02f49