Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 16:02

General

  • Target

    0343f7d9824f51e45c9cc6ffbe4a1c20N.exe

  • Size

    212KB

  • MD5

    0343f7d9824f51e45c9cc6ffbe4a1c20

  • SHA1

    81ea1a3648e3b9d4903398502cc5ac8fbd0a843a

  • SHA256

    915e637e9e56872ab8f1318ea2aa2434c5161cd6bf289076ebecac66db6bd25b

  • SHA512

    83c21afce52224b8b70be568e7bc6d90a4539984c627979bf7a1d172396e054496dd981ac95b0e8b0332467e9214188929974ec49fd5068f2f3b91e9f5e6b2e3

  • SSDEEP

    3072:jLk395hYXJLM/6tdrHF3AHEAHVxd/Y/6fV4xRrB9sTQt4Ge9tBBTWw0vlT4H7n+B:jQqqWQkAHJX4XYkY9Pow0vlT4+B

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ntfs

Decoy

muhammedunal.com

humanvitality.site

thebookofgremlins.com

jamsoles.online

lakelasvegas.homes

fairplay.site

stanversity.com

palacinkaneiva.com

chaseinbox.com

wakeycare.com

habitastulum.net

fundacjacd.com

2wxuit.com

igamingmediahq.com

umannedresearchlaboratories.com

bonedex.com

ebaiyoservices.co.uk

organichorsemanship.com

spanishbyhk.com

stepfields.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe
    "C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe
      "C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nse6079.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • memory/1292-13-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1316-12-0x00000000004D0000-0x00000000004D2000-memory.dmp

    Filesize

    8KB