Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/08/2024, 10:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
08ddb95d2c23002fcce95086d445134e
-
SHA1
abb96129701b0071be71fb61aa967b5050ca5f47
-
SHA256
3cd5e2eff3354fda6199c237fc3e4cab81fb4dc958e53b18e27c80691877cf6d
-
SHA512
6df96564fa870095cbc4d1f47de216fd70558e79b604b6aa213437d2278ffc89637201b6eebd5ab008c51145e1d598fe85288bb6f9ee1910e522e78ccfd0083b
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1N7:DBIKRAGRe5K2UZH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2852 f774579.exe -
Loads dropped DLL 9 IoCs
pid Process 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe 2544 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2544 2852 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f774579.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 2852 f774579.exe 2852 f774579.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 624 wrote to memory of 2852 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 31 PID 624 wrote to memory of 2852 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 31 PID 624 wrote to memory of 2852 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 31 PID 624 wrote to memory of 2852 624 2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe 31 PID 2852 wrote to memory of 2544 2852 f774579.exe 33 PID 2852 wrote to memory of 2544 2852 f774579.exe 33 PID 2852 wrote to memory of 2544 2852 f774579.exe 33 PID 2852 wrote to memory of 2544 2852 f774579.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-12_08ddb95d2c23002fcce95086d445134e_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f774579.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f774579.exe 2594748092⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6083⤵
- Loads dropped DLL
- Program crash
PID:2544
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD53fc705f953067976cebf0ee35b1bfa20
SHA105564e5aadff99c7ee8e53d989f2a1c9b56683b4
SHA2567d8b43cf33b84c320c19be95d22db61b3708a59cdce2f88a2706e35ad42a166f
SHA51208a311e93785722c4485133db99bce845e0368784912cc6702c75c18e9694b96e02cc447b3bd6cb2fff98a58932d2a86579dcb92ed1b054e072c797aa904b19a