Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

payment.exe

windows7-x64

10

payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 19:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment.exe

  • Size

    707KB

  • MD5

    23abe3c84b5db078cf92723357670b30

  • SHA1

    ed9dd2816ee1f01252f0221e1bf717a531440475

  • SHA256

    7a4b80b6d3ea4ca73224197f7d85d763dd953826978cdc30c6e75fb298cfb5ab

  • SHA512

    cab42f389efe9faee486d58d31684d79fd7a3f42c0cee5125f4e6b0dd4d72aa94f97cca167eeb42612363cad9679f21a2986cb97a7673d2266cdf05b7b4c3eb6

  • SSDEEP

    12288:TF0dkI8Xp4gnV2v8gWfRhkMpCof0xrQ53Ms8a+U/gSaE55BO3Uug1o474q7:TudexQ8PfLJRf0FQ53S1NSHjzuU+

Score
10/10
formbooka01ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\payment.exe
      "C:\Users\Admin\AppData\Local\Temp\payment.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cieYBQwi.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cieYBQwi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBEEB.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    166.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    166.190.18.2.in-addr.arpa
    IN PTR
    Response
    166.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-166deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.4825.plus
    Remote address:
    8.8.8.8:53
    Request
    www.4825.plus
    IN A
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.ukce.fun
    Remote address:
    8.8.8.8:53
    Request
    www.ukce.fun
    IN A
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.duway.pro
    Remote address:
    8.8.8.8:53
    Request
    www.duway.pro
    IN A
    Response
  • flag-us
    DNS
    www.xknrksi.icu
    Remote address:
    8.8.8.8:53
    Request
    www.xknrksi.icu
    IN A
    Response
  • flag-us
    DNS
    www.leaning-services-53131.bond
    Remote address:
    8.8.8.8:53
    Request
    www.leaning-services-53131.bond
    IN A
    Response
No results found
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
     129 B
     1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    166.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    166.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    www.4825.plus
    dns
    59 B
     127 B
     1
    1

    DNS Request

    www.4825.plus

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    www.ukce.fun
    dns
    58 B
     123 B
     1
    1

    DNS Request

    www.ukce.fun

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    www.duway.pro
    dns
    59 B
     141 B
     1
    1

    DNS Request

    www.duway.pro

  • 8.8.8.8:53
    www.xknrksi.icu
    dns
    61 B
     126 B
     1
    1

    DNS Request

    www.xknrksi.icu

  • 8.8.8.8:53
    www.leaning-services-53131.bond
    dns
    77 B
     142 B
     1
    1

    DNS Request

    www.leaning-services-53131.bond

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    8ca68eab0810672c6a73d3294fcb7905

    SHA1

    937b406d8f14b04548f894fbe36778df06a0670a

    SHA256

    099a90123831f358c118c544e2c91b8fd03fe6a9bc6220d91fca41a2ddb0e14d

    SHA512

    6189fa3206ea551a6dcd4a083b4bc79e18f3634ca5d795f4c491ed244cd19643b5ef83165f62fa98b7d1713d8f9961148cd9e1a6fb5110819e24d17fc6605676

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fr3rrp1n.di3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBEEB.tmp
    Filesize

    1KB

    MD5

    11a2739f58890c33f9eaebde2aaa924c

    SHA1

    2a1783a27624b73ca57903f916c98bb7478eae02

    SHA256

    2a6a25e518658ef2cca998df1a2149394a53632f0915b4fc62e5299ed85dcc12

    SHA512

    6a300fed2358e48ea551d5c2f6b5b68d1d87a8b64606790c13797cc84ca187eae3443b5adc38926292f3349860a783e41e7c193aa528b9d2da4b763f81e503a0

    Download Submit

  • memory/1200-81-0x00000000007C0000-0x00000000007E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1200-93-0x0000000000990000-0x00000000009BF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1488-88-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1488-83-0x0000000007A90000-0x0000000007AA4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1488-84-0x0000000007B90000-0x0000000007BAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1488-80-0x0000000007A50000-0x0000000007A61000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1488-79-0x0000000007AD0000-0x0000000007B66000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1488-75-0x0000000007510000-0x00000000075B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1488-64-0x00000000074E0000-0x00000000074FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1488-53-0x00000000074A0000-0x00000000074D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1488-54-0x000000006FE10000-0x000000006FE5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1488-37-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1488-85-0x0000000007B70000-0x0000000007B78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1488-25-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1488-31-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-12-0x00000000033D0000-0x0000000003448000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2560-52-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-11-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-1-0x0000000000F10000-0x0000000000FC8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2560-2-0x0000000005F60000-0x0000000006504000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2560-3-0x0000000005A50000-0x0000000005AE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2560-4-0x0000000005AF0000-0x0000000005E44000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2560-9-0x00000000088C0000-0x00000000088E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2560-5-0x0000000005A30000-0x0000000005A3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2560-6-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2560-10-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-7-0x00000000065B0000-0x000000000664C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2560-8-0x00000000087E0000-0x000000000888E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2560-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3424-97-0x0000000008470000-0x00000000085CA000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4320-47-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4604-50-0x0000000006ED0000-0x0000000006F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4604-18-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-78-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4604-76-0x00000000082B0000-0x000000000892A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4604-65-0x000000006FE10000-0x000000006FE5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4604-17-0x0000000003030000-0x0000000003066000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4604-82-0x0000000007E80000-0x0000000007E8E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4604-77-0x0000000007C50000-0x0000000007C6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4604-48-0x0000000006930000-0x000000000694E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4604-23-0x0000000005A00000-0x0000000005A66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4604-19-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-20-0x0000000005AE0000-0x0000000006108000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4604-21-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-92-0x0000000074EC0000-0x0000000075670000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4604-22-0x0000000005960000-0x0000000005982000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4604-24-0x0000000006210000-0x0000000006276000-memory.dmp

    Filesize

    408KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.