Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe
Resource
win7-20240705-en
General
-
Target
e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe
-
Size
461KB
-
MD5
5e15f4f0710928ceb2445a10aaa48e9a
-
SHA1
6d737a3936b878bbd28020326e39c14c4b120003
-
SHA256
e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41
-
SHA512
416d8abdafbcf11d9a42592a853db81eecc14ddca97b5966c4e13cd5130acc25633b7bb95f580790c1063db733bbe61ca2eeed9781fcef960a3853f084a26757
-
SSDEEP
6144:O3CDRM9sIkrdnvCgUmCeyCQOEHoXwOK0VEppAcpSK8QGS4mBgESFX0A7:Gf9HmdvCKCepXC50VEpG8NnJgE8X04
Malware Config
Extracted
xloader
2.3
h3qo
dhflow.com
jyindex.com
ezcleanhandle.com
trungtamcongdong.online
simsprotectionagency.com
easylivemeet.com
blackvikingfashionhouse.com
52banxue.com
girlsinit.com
drhemo.com
freethefarmers.com
velvetrosephotography.com
geometricbotaniclas.com
skyandspirit.com
deltacomunicacao.com
mucademy.com
jaboilfieldsolutions.net
howtowinatblackjacknow.com
anytimegrowth.com
simranluthra.com
thefinleyshow.com
basalmeals.com
esurpluss.com
hrbjczsfs.com
tourphuquocnguyenhien.com
mxprographics.com
themetaphysicalmaster.net
directorystar.asia
thehomeofdiamonds.com
riqinxin.com
covicio.com
sciineurope.com
womensportclothes.com
celestialchimes.net
lotsmen.com
hi-rescloud.net
lewisnathaniel.com
ageonward.com
eyetownglasses.com
bingent.info
matildealvaradovera.com
otorrinonews.com
cdeg898.com
lexingtoncoorgresort.com
minidachshundpups.com
tools365-shop.com
romancingtheeras.com
residentmining.com
aquaflowsprinklers.com
crackapks.com
caffeinatedeverafter.com
sureyyapasa.net
strawberryhearts.com
ptgo.net
devyshkam.com
thethrottletherapy.com
givelyrics.com
signaturepsinc.com
mersinsudunyasi.com
fivedayskitchen.com
fefebeauty.com
long0001.com
hmm40.com
claracarbon.com
elevatedenterprizes.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/3960-2-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1200 set thread context of 3960 1200 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 3528 1200 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3960 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe 3960 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1200 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1200 wrote to memory of 3960 1200 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe 90 PID 1200 wrote to memory of 3960 1200 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe 90 PID 1200 wrote to memory of 3960 1200 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe 90 PID 1200 wrote to memory of 3960 1200 e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe"C:\Users\Admin\AppData\Local\Temp\e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe"C:\Users\Admin\AppData\Local\Temp\e9e8c1fc6eb0493ccafa4bd8362662e9dcc1de1191c4e2a348f1283a367f0f41.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 5002⤵
- Program crash
PID:3528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1200 -ip 12001⤵PID:652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:81⤵PID:3980