Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
PaidInvoicePdf.exe
Resource
win7-20240903-en
General
-
Target
PaidInvoicePdf.exe
-
Size
696KB
-
MD5
800ffdb94a4c823184385509daf24178
-
SHA1
42269e47c7bd0e0e71ebcddeffa9e8f7fd87dc69
-
SHA256
27ffa4783191b2211f9f11043cdfb2df12898202cbef969013082c7634b2f27b
-
SHA512
dc11235024197202e9a00059ca5660e09537ac7a6411fc6098ce34f5715b95254a52147231e41e74ae141ee74b8bf9fe3c7b497c8b99ee0697a1f38037fa5c4d
-
SSDEEP
12288:PYGjdswecl94lQ40JfOofko3QSkQREOyMh344m/xDX/ch:2wedlWOofqSkwKcIrPch
Malware Config
Extracted
formbook
4.1
n7ak
wise-transfer.info
jam-nins.com
thebestsocialcrm.com
majomeow222.com
ancientshadowguilt.space
gentleman-china.com
parquemermoz.store
taxuw.com
sharqiyapaints.com
libraryofkath.com
1949wan.com
synqr.net
bitchessgirls.com
btonu.cfd
coding-bootcamps-16314.com
leadership22-tdh.site
maximsboutique.com
irishsummertruffles.com
sdnaqianchuan.com
uyews.xyz
mostvisitors.com
prembug.com
lebondtrip.com
villavouno.com
solanosotostudio.com
pbx1.website
littleeturtle.com
supremeajock.biz
turborings.run
parkpeninsula.online
goodstuff.tv
17qld.com
thehandycrewcompany.com
alwaystuesdaytacos.com
entribeworks.com
susanboyleinfo.com
volkovastyu.com
tradingmoja.com
germancompany-eg.com
gameofgem.com
hbdpcq.com
budsdesigns.com
sistemrizal.xyz
395boulderbrookdr.com
forounlock.com
cp2967.com
creatividadymedia.com
marocquadchallenge.com
tuktukwines.com
tripskorea.com
eyvonnesewingshop.com
1690.biz
perfectkick.website
jreengineering.tech
lilmeow.store
ttjsdispatchingllc.com
carltonellis.com
redantholdings.com
luxuryworkingfarms.com
appsecintelligence.com
studmate.online
imogenbot.store
netheerlandart.com
bikelegalkentucky.com
playdoapp.online
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2992-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2652-23-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2212 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1728 set thread context of 2992 1728 PaidInvoicePdf.exe 35 PID 2992 set thread context of 1224 2992 RegSvcs.exe 21 PID 2652 set thread context of 1224 2652 cmmon32.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PaidInvoicePdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe -
description ioc Process Key created \Registry\User\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1728 PaidInvoicePdf.exe 1728 PaidInvoicePdf.exe 2992 RegSvcs.exe 2992 RegSvcs.exe 2212 powershell.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2992 RegSvcs.exe 2992 RegSvcs.exe 2992 RegSvcs.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe 2652 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1728 PaidInvoicePdf.exe Token: SeDebugPrivilege 2992 RegSvcs.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2652 cmmon32.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2212 1728 PaidInvoicePdf.exe 31 PID 1728 wrote to memory of 2212 1728 PaidInvoicePdf.exe 31 PID 1728 wrote to memory of 2212 1728 PaidInvoicePdf.exe 31 PID 1728 wrote to memory of 2212 1728 PaidInvoicePdf.exe 31 PID 1728 wrote to memory of 2976 1728 PaidInvoicePdf.exe 33 PID 1728 wrote to memory of 2976 1728 PaidInvoicePdf.exe 33 PID 1728 wrote to memory of 2976 1728 PaidInvoicePdf.exe 33 PID 1728 wrote to memory of 2976 1728 PaidInvoicePdf.exe 33 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1728 wrote to memory of 2992 1728 PaidInvoicePdf.exe 35 PID 1224 wrote to memory of 2652 1224 Explorer.EXE 36 PID 1224 wrote to memory of 2652 1224 Explorer.EXE 36 PID 1224 wrote to memory of 2652 1224 Explorer.EXE 36 PID 1224 wrote to memory of 2652 1224 Explorer.EXE 36 PID 2652 wrote to memory of 2236 2652 cmmon32.exe 37 PID 2652 wrote to memory of 2236 2652 cmmon32.exe 37 PID 2652 wrote to memory of 2236 2652 cmmon32.exe 37 PID 2652 wrote to memory of 2236 2652 cmmon32.exe 37 PID 2652 wrote to memory of 2236 2652 cmmon32.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\PaidInvoicePdf.exe"C:\Users\Admin\AppData\Local\Temp\PaidInvoicePdf.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RGmpQiEFWWTW.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RGmpQiEFWWTW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB37.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2236
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD523779b3f4656ca93a6aa9450b3f5442f
SHA16ea78bab02fe519f88fe1944ba79d7835e1cfdba
SHA256e30335c14b2f65c32d4a676ec3a75c897bc2ab9af6e88e5ead5bd4dea3e4a6c2
SHA512b18dfd7402af458fb515178e63cc84c5aa8604ad9f82282127ad8451dc7188a18d6fd44494fb33b6e1ae990600e13205e0978365f10bdf49c8fb1167041429b8