Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 09:04

General

  • Target

    SHIPPING DOCS.exe

  • Size

    722KB

  • MD5

    8a53a0551259a54c9503f4cf29a67821

  • SHA1

    edcb94850e63d424604029edf6c720b9d1d6e8df

  • SHA256

    8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305

  • SHA512

    3518a786a8947051a55914d12b564c5fdaebe3167b4b34b72ae7dc855cba781fe72743e505367c1e0e566d0dc26822b020bec9b8fa4d4426749da9b059d2ff1f

  • SSDEEP

    12288:/b1PloJNhQ/cWS7stv2EJ7yYqMSKlaU7/IYV51GMER0eTRpqbMLWuRsQsAAHO/:ZiJN+UVsDhyYWKlh0So0IpqwLWueQspu

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a03d

Decoy

nfluencer-marketing-13524.bond

cebepu.info

lphatechblog.xyz

haoyun.website

itiz.xyz

orld-visa-center.online

si.art

alata.xyz

mmarketing.xyz

elnqdjc.shop

ensentoto.cloud

voyagu.info

onvert.today

1fuli9902.shop

otelhafnia.info

rumpchiefofstaff.store

urvivalflashlights.shop

0090.pizza

ings-hu-13.today

oliticalpatriot.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HcXqyZTglEDQeU.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HcXqyZTglEDQeU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A16.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2836
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1A16.tmp

    Filesize

    1KB

    MD5

    ed45e7b39a149b39187b674380777bbc

    SHA1

    c4a4217bec1ba7b43fe4545c1441b65a7d43f03d

    SHA256

    a7c88824d3d4cf7c3782b0897efced3a678dbc16a193d8245914d7875572e303

    SHA512

    b2d529de5dbe6d084809aa90b3b2991f09c322e7690da26200a60804929afc8c4ce8ab61b0bbd5e16c59eed0148b3bd3b25cb5987ac07b357af6a2ee61074640

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    7c6ca53d2bbdfeb0ceef4d13256b385b

    SHA1

    b6e89627133f07069c998b4527868be5555c6f2d

    SHA256

    2cd084f97abb8c75e36a863cc828457cf4a76982cb51562cac9cc112ccedd1cb

    SHA512

    0219f05ae74864ca0b72af3473c20e3ad88ab6fae132ab1d2735991b464ed424c2286faeccaa72083c517dbacf3cb66805052996f97aa65f71a997c94ed02f49

  • memory/1804-29-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

  • memory/1804-28-0x0000000000250000-0x0000000000257000-memory.dmp

    Filesize

    28KB

  • memory/1940-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1940-19-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1940-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1940-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1940-27-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2248-5-0x0000000074910000-0x0000000074FFE000-memory.dmp

    Filesize

    6.9MB

  • memory/2248-6-0x0000000000240000-0x00000000002B8000-memory.dmp

    Filesize

    480KB

  • memory/2248-4-0x000000007491E000-0x000000007491F000-memory.dmp

    Filesize

    4KB

  • memory/2248-3-0x00000000006D0000-0x00000000006F6000-memory.dmp

    Filesize

    152KB

  • memory/2248-0-0x000000007491E000-0x000000007491F000-memory.dmp

    Filesize

    4KB

  • memory/2248-26-0x0000000074910000-0x0000000074FFE000-memory.dmp

    Filesize

    6.9MB

  • memory/2248-2-0x0000000074910000-0x0000000074FFE000-memory.dmp

    Filesize

    6.9MB

  • memory/2248-1-0x00000000002E0000-0x000000000039A000-memory.dmp

    Filesize

    744KB