Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
Q210203W.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Q210203W.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Isdjek.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Isdjek.dll
Resource
win10v2004-20240709-en
General
-
Target
Q210203W.exe
-
Size
220KB
-
MD5
fa56b6d31bcdbe7a969c432099c28611
-
SHA1
7ff0f279a8ed6759ea3344f484cd82d174896c20
-
SHA256
2b9cc84b89000fae34b2808cfbc40c76a0f9f40f02aad848c3789b2fc347ccf0
-
SHA512
25eeb37a943edd0cb193673644e1f60bebbf26d85951a4802c82bc56dc85dc524ec82c8d725edaf1285edf998fc193613ba8522cb649bf0ba1cc9c8edbf366eb
-
SSDEEP
6144:4qjIp2Tdl/KdPGf8EMTXZ8YVDcjCCKopU+mQfVYKt:1u2dYRXZ8QHIC+mQr
Malware Config
Extracted
xloader
2.3
gh6n
cpschoolsschoology.com
thestocksforum.com
pixiewish.com
sopressd.com
muktokontha.com
tiejiabang.net
fdo.technology
kuringnl.com
barbarapastor.com
21stcenturytrading.com
digiwarung.com
canvafynyc.com
forfaitinghouse.com
3704368.com
mymonwero.com
ponpow.com
fringe.golf
heartfeltindonesia.com
defensivedrivercpc.com
allaboutgt.com
truerootsgroups.com
thatsfreakinridiculous.net
soulmohal.com
socalyardspotter.com
pmpts.com
ypb.xyz
tecs777.com
coimpexp-fab.com
romulusphotographer.com
spaceoffsexs.space
eatingdisordersnutrition.com
crackedappel.net
fore-all-llc.com
satishkasetty.com
itallcomesdown.com
ireneverda.com
mylenenadon.com
xn--zrz537c.com
treemuebles.com
iseyararbilgiler.com
mypinnacledesign.com
opvine.com
fenixcartagena.com
schiffrealty.net
lumbuy.com
seanwidmier.com
bondarizati.com
a1bulkemail.com
beuatifulbigwomen.website
nadyadheshop.com
clasificadosvallarta.com
magestosopneus.online
klub65.com
sexrobocabs.com
titanshop.info
valuecaptain.com
bostonm.info
standonir.com
acrellp.xyz
miyumiyuchancosplay.com
victorcarvalhooficial.com
bidaitosou.com
timership.com
cathbilson.com
aslionlinestore.com
Signatures
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/2148-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2148-17-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2352-23-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 2824 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2092 Q210203W.exe 2092 Q210203W.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2092 set thread context of 2148 2092 Q210203W.exe 30 PID 2148 set thread context of 1216 2148 Q210203W.exe 21 PID 2352 set thread context of 1216 2352 help.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2092 Q210203W.exe 2092 Q210203W.exe 2092 Q210203W.exe 2092 Q210203W.exe 2148 Q210203W.exe 2148 Q210203W.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe 2352 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2092 Q210203W.exe 2148 Q210203W.exe 2148 Q210203W.exe 2148 Q210203W.exe 2352 help.exe 2352 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2148 Q210203W.exe Token: SeDebugPrivilege 2352 help.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2148 2092 Q210203W.exe 30 PID 2092 wrote to memory of 2148 2092 Q210203W.exe 30 PID 2092 wrote to memory of 2148 2092 Q210203W.exe 30 PID 2092 wrote to memory of 2148 2092 Q210203W.exe 30 PID 2092 wrote to memory of 2148 2092 Q210203W.exe 30 PID 1216 wrote to memory of 2352 1216 Explorer.EXE 31 PID 1216 wrote to memory of 2352 1216 Explorer.EXE 31 PID 1216 wrote to memory of 2352 1216 Explorer.EXE 31 PID 1216 wrote to memory of 2352 1216 Explorer.EXE 31 PID 2352 wrote to memory of 2824 2352 help.exe 32 PID 2352 wrote to memory of 2824 2352 help.exe 32 PID 2352 wrote to memory of 2824 2352 help.exe 32 PID 2352 wrote to memory of 2824 2352 help.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"3⤵
- Deletes itself
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5736d1bc5cb5ad0af70d6a94b768f2803
SHA15cd2f1e890d3f493dc61c05130c8ca2979ee0bb4
SHA2561bba6e6e13f028e67d529d52e3614b607536f718b5d8e0aa6cd98f1aa15101b7
SHA512909e33ffdbbe3c6f797e3eea14d5722addbbe3e5c9cb085dc2edbd8d69942de3d6dd58a57f5476a5e255b80b50869a516814b1b9791c388a2fb7749ca246cbff
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c