Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 16:26
Behavioral task
behavioral1
Sample
DNF-XHA V3.[2].0版(可单刷)/HA.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
DNF-XHA V3.[2].0版(可单刷)/HA.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
DNF-XHA V3.[2].0版(可单刷)/HAHook.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
DNF-XHA V3.[2].0版(可单刷)/HAHook.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
xin037.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
xin037.exe
Resource
win10v2004-20231215-en
General
-
Target
xin037.exe
-
Size
22KB
-
MD5
3d820ea021ed22996f873b48e2f8df2d
-
SHA1
373adfa99b3f7bd34e070b547fa370eafe1e93a7
-
SHA256
db023f3427fb2ada09b749a726743e4f215653cd2d47e548f8d71b0eca47d199
-
SHA512
89b36567a4dd06b47d890f1ca95c6a4df66e496d8c2f7c506e7f29581e39ea73d9576456e557ccc330385a19f60756091c440e91a0b568831f27f900d140ce2a
-
SSDEEP
384:U9kcqWBCu84UOY08BgfmB7Fyvupe1eY0JwtMwKFTwNcSWVT:SkLWr84pTYgeBByvJ1eRSMwKF0NczVT
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral5/files/0x002d000000014c1d-2.dat acprotect -
Deletes itself 1 IoCs
pid Process 2828 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1256 xin037.exe 1256 xin037.exe -
resource yara_rule behavioral5/files/0x002d000000014c1d-2.dat upx behavioral5/memory/1256-6-0x0000000010000000-0x0000000010014000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RasEngine.dat xin037.exe File created C:\Windows\SysWOW64\comres.dll xin037.exe File created C:\Windows\SysWOW64\RasEngine.dat xin037.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\fonts\JLFDNF.ttf xin037.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2828 1256 xin037.exe 29 PID 1256 wrote to memory of 2828 1256 xin037.exe 29 PID 1256 wrote to memory of 2828 1256 xin037.exe 29 PID 1256 wrote to memory of 2828 1256 xin037.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\xin037.exe"C:\Users\Admin\AppData\Local\Temp\xin037.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\clear.bat" "2⤵
- Deletes itself
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113B
MD5ef5b57d029351bb12fa3e75bd99ea711
SHA1a9cfa8b49fa8a016abf38edca45b9e369c96158e
SHA25675d0e2bd8d5ce9b015a828802057e009975d444bdcff8d7e8778aa1b68e1e70c
SHA5123353e5a12190824f484c17d316e36d5a00a509de981ca24559bc072f00a38c7981b633f94fdde4b65114a7a6fe88f6ab3f7a04992cf76e2bf089fe6023d96b4d
-
Filesize
15KB
MD59a54ae64fd84725b3dc852bf6e221def
SHA1a0a4f67abda9a61383e6a1253e455c107fd23b91
SHA2569d1630be06b8ea8eaa4407b09b5a64648fcd7e4cc99c0156ef522917c387b919
SHA512d50f733efd83367f941d3d5eabb161b2184dd9bbda77baf5d83fa0e43b7b84b096d02f617d4e071f76c20f06eb5129b6f7e8af0e4619adf765e393c12119b6bb
-
Filesize
10KB
MD5e6e13b8d8fc47f5545b57c50ddb6438e
SHA10d9520c050c6e45ffc0c6dedbf31142a2613737b
SHA256019195d80e0fea1a9b576bc17f50735d858537b3fe93442c005d89cbba45ab63
SHA51260209ede8465ad6f109b25fcd41f796ca1c2c05e542b42a4b9c76ce71c8734ac222873ccfd7711e67906faac25e29507965d7958ab8f2e231a50390551c7c5d1