Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/02/2025, 04:03
Static task
static1
Behavioral task
behavioral1
Sample
683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe
Resource
win7-20240903-en
General
-
Target
683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe
-
Size
825KB
-
MD5
1fc0248bfd3e90bf20cbd80c6ef6e55e
-
SHA1
bedfb92db83d6c83c09e258bf17494cd54e757bc
-
SHA256
683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9
-
SHA512
76f448ff8978a7af8590247a91a90a86cd5fb9bf90789bb52bae5c5926057cec6b5167f7a9ab2dd55fe624286b6fc519a5a90548ba54f4c49f875d85a49c73df
-
SSDEEP
12288:bzSggsi23jtK05tsNfBCwnM5DTXW3k12JbTIj10B93kiR+QQ2G:bzxk05t0ZCS2T+k12a1K0iR+t2
Malware Config
Extracted
formbook
4.1
egs9
alliancecigars.net
35893.pizza
selidik.cloud
evel789-aman.club
wqsbr5jc.vip
corretoraplanodesaude.shop
balikoltada.xyz
play-vanguard-nirvana.xyz
paktuaslotxcxrtp.xyz
retailzone1997.shop
jk77juta-official.cloud
godmoments.app
flippinforbidsfrear.cloud
234bets.net
cryptobiz.tech
construction-jobs-50157.bond
cuficdarbiesdarleen.cloud
t59bm675ri.skin
ondqwxl.top
kpde.xyz
apoiador.xyz
denotational.xyz
fat-removal-40622.bond
kqsamcsauqiagmma.xyz
online-advertising-68283.bond
mise96.xyz
pokerdom55.vip
arai.rest
marketplace20.click
kongou.systems
isbnu.shop
online-advertising-98154.bond
pepsico.llc
80072661.xyz
wholesalemeat.today
security-apps-16796.bond
remationservices26114.shop
kitchen-remodeling-14279.bond
betterskin.store
aigamestudio.xyz
uhsrgi.info
mentagekript.today
box-spring-bed-50031.bond
blood-flow.bond
653emd.top
venturelinks.net
trendysolutions.store
creativege.xyz
sellhome.live
petir99bro.xyz
maipingxiu.net
influencer-marketing-56510.bond
czlovesys.xyz
phpcrazy.net
hikingk.store
imstest.online
bet2024.shop
lord.land
gobg.net
armada77x.sbs
msytuv.info
buenosbufidinburez.cloud
transeo.xyz
deltaestates.online
redgoodsgather.shop
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/3060-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/804-23-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2592 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2192 set thread context of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 3060 set thread context of 1232 3060 RegSvcs.exe 21 PID 804 set thread context of 1232 804 explorer.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 2592 powershell.exe 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 3060 RegSvcs.exe 3060 RegSvcs.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe 804 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3060 RegSvcs.exe 3060 RegSvcs.exe 3060 RegSvcs.exe 804 explorer.exe 804 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 3060 RegSvcs.exe Token: SeDebugPrivilege 804 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2592 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 30 PID 2192 wrote to memory of 2592 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 30 PID 2192 wrote to memory of 2592 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 30 PID 2192 wrote to memory of 2592 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 30 PID 2192 wrote to memory of 2596 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 32 PID 2192 wrote to memory of 2596 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 32 PID 2192 wrote to memory of 2596 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 32 PID 2192 wrote to memory of 2596 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 32 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 2192 wrote to memory of 3060 2192 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe 34 PID 1232 wrote to memory of 804 1232 Explorer.EXE 35 PID 1232 wrote to memory of 804 1232 Explorer.EXE 35 PID 1232 wrote to memory of 804 1232 Explorer.EXE 35 PID 1232 wrote to memory of 804 1232 Explorer.EXE 35 PID 804 wrote to memory of 2104 804 explorer.exe 36 PID 804 wrote to memory of 2104 804 explorer.exe 36 PID 804 wrote to memory of 2104 804 explorer.exe 36 PID 804 wrote to memory of 2104 804 explorer.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe"C:\Users\Admin\AppData\Local\Temp\683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BKKCQeaq.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKKCQeaq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50d98cb500060ef8d0e63c6df676025d8
SHA1cff666545c5996943f5ddcd3444b3af05b72e885
SHA256f9b9781631cf4b083b300eca3b791a5a6fc4ab59f7d9bf1ccf6f5fc8b77339be
SHA512f84b2beb3c677aa8a297a9474db3693d1530483aa1788d20bc19109a971c74208223dd5baee77d9aea873b5eaa349a7e1191f5fd5c32c5935f7bbd5d5f78d14b