Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25/05/2022, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
see7.exe
Resource
win7-20220414-en
General
-
Target
see7.exe
-
Size
574KB
-
MD5
1ccf28645e2d52556487a9710de54d8e
-
SHA1
e83b5b14a3d08d8838e23c08070ebec713f859ef
-
SHA256
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99
-
SHA512
5a5f4c5fb992bac2119234563a8a7d3418baab3e3519f936f13a598aa9026dbeba571b7981a5a6afa519e18b124d8cf4c6642b30b88a4a091a051e2b41c5f321
Malware Config
Extracted
xloader
2.6
eido
revellbb.com
tempranillowine.net
viralstrategies.info
blacktxu.com
flfththirdbank.com
vaoex.com
theselfdirectedinvestor.com
vinadelmar.travel
othersidejimmythemonkey.com
jaguar-landrovercenter-graz.com
supremeosterreich.com
chatsubs.com
free99.design
serviciosmvs.com
bongmecams.xyz
malikwoodson.com
onlinegamebox.club
694624.com
yeezyzapatos.club
istanbul-hairtransplant.com
expectations.info
giveafeast.com
latcsvg.com
thetablelanta.com
digitalcoastdaily.com
talltailsentertainment.com
gastore.store
sextoys411.com
hhty307.com
gjiijsijfsdff.xyz
discord-dnd.com
myazpensioneducation.com
housetraitors.com
halopinkstar.com
thethord.com
brandx.biz
mrgear.xyz
emuk.site
ydbaba.com
wosongla.com
paligeri.com
clipcoffee.net
pathnorthsweeps.com
urlbnarc.com
grimpeople.online
surgetech.digital
uppercase-shop.com
anniebirdsong.info
cherylalopes.com
bravesxx.com
buysalba.com
aoneclubs.com
wank152.com
viv.gifts
n1groupe.com
zhengyp.top
boreable.xyz
pointlomaadvisors.com
thebestineasttexas.com
we-gamble.net
snowycitron.online
octsqd.xyz
226coaching.com
phuclapgarment.com
veterancg.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral1/memory/2036-62-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/2036-63-0x000000000041F230-mapping.dmp xloader behavioral1/memory/2036-65-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1868-72-0x0000000000090000-0x00000000000BB000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 524 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1756 set thread context of 2036 1756 see7.exe 28 PID 2036 set thread context of 1268 2036 see7.exe 12 PID 1868 set thread context of 1268 1868 cmstp.exe 12 -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2036 see7.exe 2036 see7.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe 1868 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2036 see7.exe 2036 see7.exe 2036 see7.exe 1868 cmstp.exe 1868 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1756 see7.exe Token: SeDebugPrivilege 2036 see7.exe Token: SeDebugPrivilege 1868 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1756 wrote to memory of 2036 1756 see7.exe 28 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1268 wrote to memory of 1868 1268 Explorer.EXE 30 PID 1868 wrote to memory of 524 1868 cmstp.exe 31 PID 1868 wrote to memory of 524 1868 cmstp.exe 31 PID 1868 wrote to memory of 524 1868 cmstp.exe 31 PID 1868 wrote to memory of 524 1868 cmstp.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\see7.exe"C:\Users\Admin\AppData\Local\Temp\see7.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\see7.exe"C:\Users\Admin\AppData\Local\Temp\see7.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1932
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\see7.exe"3⤵
- Deletes itself
PID:524
-
-