Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 15:42
Behavioral task
behavioral1
Sample
Xylex-Executor.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Xylex-Executor.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240426-en
General
-
Target
Stub.pyc
-
Size
875KB
-
MD5
f9831a9a3ff275207efa27868672503d
-
SHA1
a85c50e5a9dae11ac402daaba0e4c2762e839af0
-
SHA256
f683502becd15ec94f2d3175add74a6c8759178a617e15d3801d11bb2d4c92eb
-
SHA512
8a671e751443fe48fa156cb1de646782db8fd1a2a59b8fa0e8247bc0a91b1aacab3a058bb5d9c617dc40970b47d96a84ad34a4d55216bdcac6f3e378610f03dc
-
SSDEEP
24576:OONIZ/KW//MzIrMbYw3UgD1+J3BadmuPP:OV/MkrMblUgU7Y
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 AcroRd32.exe 2716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1296 wrote to memory of 2540 1296 cmd.exe 29 PID 1296 wrote to memory of 2540 1296 cmd.exe 29 PID 1296 wrote to memory of 2540 1296 cmd.exe 29 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD525218e036fdd09aff190e53615e637ca
SHA113a2089c2144d1e933e78cb8c3f4ba31e3be1b81
SHA2560efba073cd779919ec81a95c80b2ec0d9366610d83bbc6ef725e8ceee4499323
SHA5126fd1a54bcc044445f81a14549c07b5ddb9907e2d5f2615c4904f87bf3451da40bef0734306a1df2146bce1ffa0faadba2ab7b26adcba21c72cb16dcf7625d261