Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

28a65019d2...d7.exe

windows7-x64

10

28a65019d2...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7.exe

  • Size

    694KB

  • MD5

    3eb2ceb99c3ef6893ace27ea06be4cfa

  • SHA1

    c0d1da3207d947f99c1809cf94055adbdde7c3d7

  • SHA256

    28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7

  • SHA512

    6e9d570a4e5e20a2d0acd3fd4beebc872238e99aec72a747b3aec809c46f4a26dd651d39be69026f4d061a66d515e131ae830e663104d688fb0841f2b4fe4158

  • SSDEEP

    12288:eQFtq5Aai1/mnTesWGrzVXxBEgqO/kCerVYuVH3Uv2Hd9:eMq5Aai10mMzJkjxD2sd9

Score
10/10
formbooka02ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7.exe
      "C:\Users\Admin\AppData\Local\Temp\28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3540
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dVNcpHUEH.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1220
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dVNcpHUEH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD830.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4516
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    563ff3d146941095664dfa77630dac10

    SHA1

    22a943847f5c5913be7dc35ba2cf08ecb00ecd4a

    SHA256

    536bd2d048605271ccc0ba1ecea38ec4d8d72b137d94e87ddc2856741d6bbd6b

    SHA512

    52d4b9df55749b67cd271c6d9381a4c7ca78b9e3e03f83a38f83a593526cf0d1e19f0b27888632a106279b7e1dcda9e89d323149b3dee7a6ea1d98f5911bd529

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffll2tfv.ifk.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD830.tmp
    Filesize

    1KB

    MD5

    75f5d629da3910797b3a04a632d26210

    SHA1

    85206e2f183816ff870caf37858dc66a8c64332a

    SHA256

    037fbb821c273c3b6643f2def72b1924ea2409e900b81a348e2f8f35e88fb139

    SHA512

    b54956294d72c7b79a6819dc0963924c4da4b0a8ced6ff73e3657cbf400d3a5aa79a1633e2784c64624953eb9ef09c9becc002ebfa646b56e6b40a7ac3482196

    Download Submit

  • memory/1004-88-0x0000000000CC0000-0x0000000000CEF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1004-87-0x00000000009E0000-0x00000000009EB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1220-66-0x0000000007800000-0x00000000078A3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1220-65-0x00000000077D0000-0x00000000077EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1220-78-0x0000000007C70000-0x0000000007C8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1220-76-0x0000000007B60000-0x0000000007B6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1220-75-0x0000000007B30000-0x0000000007B41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1220-74-0x0000000007BB0000-0x0000000007C46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1220-85-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1220-79-0x0000000007C50000-0x0000000007C58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1220-18-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1220-46-0x00000000065E0000-0x00000000065FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1220-50-0x0000000075790000-0x00000000757DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1220-47-0x0000000006680000-0x00000000066CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2516-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3452-92-0x0000000008500000-0x0000000008662000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3540-14-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3540-48-0x0000000007010000-0x0000000007042000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3540-86-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3540-33-0x0000000005B70000-0x0000000005EC4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3540-21-0x00000000058A0000-0x0000000005906000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3540-49-0x0000000075790000-0x00000000757DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3540-22-0x00000000059C0000-0x0000000005A26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3540-77-0x00000000075E0000-0x00000000075F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3540-17-0x0000000005200000-0x0000000005828000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3540-16-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3540-71-0x00000000079F0000-0x000000000806A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3540-72-0x00000000073A0000-0x00000000073BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3540-73-0x0000000007410000-0x000000000741A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3540-20-0x00000000050A0000-0x00000000050C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3540-13-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3540-15-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4944-0-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4944-8-0x0000000002B60000-0x0000000002BDA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/4944-7-0x00000000065F0000-0x000000000660E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4944-6-0x0000000005590000-0x000000000562C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4944-5-0x0000000005450000-0x000000000545A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4944-44-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4944-4-0x00007FF8DC9F0000-0x00007FF8DCBE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4944-3-0x00000000052C0000-0x0000000005352000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4944-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4944-1-0x0000000000800000-0x00000000008B4000-memory.dmp

    Filesize

    720KB

    Download