Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2025, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
DHL Takip-pdf.bat.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DHL Takip-pdf.bat.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
DHL Takip-pdf.bat.exe
-
Size
1.0MB
-
MD5
fd533f80090c761f06b499dd63f5cb10
-
SHA1
2534671af3824e6b8edcdbdf6e06789050074e0e
-
SHA256
f7b61d74ed091d52a93af97e15333b59cec299e026647c58830ccf0baf3d9c91
-
SHA512
083e8e1e00c39b9e5e708f0f3149313ba46659e7503791aee5ac31deb64413c7890633c4f3e4869abcefd55880e2e2b538b1003de3f4944b6979cbe13e049508
-
SSDEEP
24576:+5bgDPHeGskuYMexXYvRCEOYkYRU2fNYwYtYPY:+5qPHeGh5ovRH1bqyuXOg
Malware Config
Extracted
formbook
4.1
il30
rliyf.info
roclim.tech
dvertising-courses-90538.bond
anheng.lol
olar-systems-panels-34828.bond
ookflix.digital
7552.loan
innb1.online
mrt.world
jimenez.xyz
reativdesign.online
onixts.xyz
igitalethics.online
raktika.group
a-vid.productions
tualizarcadastro.net
pvmz.website
qtnb.bond
hesilverbullet.tech
otwkfik.xyz
oofingwork-met-iri.click
lime-treatment-88123.today
allwalls.info
uppee.shop
ongevitygroup.tech
hwowx.info
mericancrypto.company
bhchmsa.xyz
54cgjy151r.shop
riatoriorf.shop
oegee.net
arehouse-jobs-beta.today
huaixie.cfd
aneofourown.net
idanbet.online
nneralchemyacademy.info
gentive.legal
ianzai.lol
oiihmcd.xyz
rygrip.shop
asakazu-ito.online
huandiu.lol
ffiliate-marketing-33232.bond
edhammer.shop
cr-search.fun
ork-abroad-10203.bond
ncare4u.online
ildblocks.fun
zymmbkd.xyz
vpass.shop
lpl.net
lh1.xyz
oundscape.chat
aythi2.info
abanachannel.shop
nugpup.online
brezpt.xyz
llewijnwebshops.online
pivexa.info
hepottedpine.shop
idcw.net
mplantdentistryexperts989.today
rostgrove.xyz
cwiu.courses
ommaspurpose.net
Signatures
-
Formbook family
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/1572-36-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/1572-42-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/1572-45-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/3312-52-0x0000000000900000-0x000000000092F000-memory.dmp formbook -
Loads dropped DLL 2 IoCs
pid Process 2228 DHL Takip-pdf.bat.exe 2228 DHL Takip-pdf.bat.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1572 DHL Takip-pdf.bat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2228 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1572 set thread context of 3500 1572 DHL Takip-pdf.bat.exe 56 PID 1572 set thread context of 3500 1572 DHL Takip-pdf.bat.exe 56 PID 3312 set thread context of 3500 3312 cscript.exe 56 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\Gundelet\gleditsia.ini DHL Takip-pdf.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL Takip-pdf.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL Takip-pdf.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe 3312 cscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2228 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 1572 DHL Takip-pdf.bat.exe 3312 cscript.exe 3312 cscript.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1572 DHL Takip-pdf.bat.exe Token: SeDebugPrivilege 3312 cscript.exe Token: SeShutdownPrivilege 3500 Explorer.EXE Token: SeCreatePagefilePrivilege 3500 Explorer.EXE Token: SeShutdownPrivilege 3500 Explorer.EXE Token: SeCreatePagefilePrivilege 3500 Explorer.EXE Token: SeShutdownPrivilege 3500 Explorer.EXE Token: SeCreatePagefilePrivilege 3500 Explorer.EXE Token: SeShutdownPrivilege 3500 Explorer.EXE Token: SeCreatePagefilePrivilege 3500 Explorer.EXE Token: SeShutdownPrivilege 3500 Explorer.EXE Token: SeCreatePagefilePrivilege 3500 Explorer.EXE Token: SeShutdownPrivilege 3500 Explorer.EXE Token: SeCreatePagefilePrivilege 3500 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3500 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1572 2228 DHL Takip-pdf.bat.exe 96 PID 2228 wrote to memory of 1572 2228 DHL Takip-pdf.bat.exe 96 PID 2228 wrote to memory of 1572 2228 DHL Takip-pdf.bat.exe 96 PID 2228 wrote to memory of 1572 2228 DHL Takip-pdf.bat.exe 96 PID 1572 wrote to memory of 3312 1572 DHL Takip-pdf.bat.exe 100 PID 1572 wrote to memory of 3312 1572 DHL Takip-pdf.bat.exe 100 PID 1572 wrote to memory of 3312 1572 DHL Takip-pdf.bat.exe 100 PID 3312 wrote to memory of 2664 3312 cscript.exe 101 PID 3312 wrote to memory of 2664 3312 cscript.exe 101 PID 3312 wrote to memory of 2664 3312 cscript.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\DHL Takip-pdf.bat.exe"C:\Users\Admin\AppData\Local\Temp\DHL Takip-pdf.bat.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\DHL Takip-pdf.bat.exe"C:\Users\Admin\AppData\Local\Temp\DHL Takip-pdf.bat.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL Takip-pdf.bat.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5cf85183b87314359488b850f9e97a698
SHA16b6c790037eec7ebea4d05590359cb4473f19aea
SHA2563b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
SHA512fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b
-
Filesize
34KB
MD546d760ff5d80888a54a38d5bd968c3b9
SHA1074ffba863941492da6fceb711fc6f6d49884d62
SHA25689da4d13eedf0d1128752be5993608a45d8b1d3377ce852cac6938c0514f7952
SHA5125c1429bc19c1c154a746ba09376d35293b60a4f95196db3acbbc738d4f3a65c93fc67bdcfc4d15db5485d4bf8cc7bddd8d93c150e2760c88b1bca8aef0cb27c8