Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 13:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe
-
Size
3.2MB
-
MD5
cde6687a708a8d67684eef8fc661227e
-
SHA1
501a9dff8eb0bfc75c77b6fa8de2d11c328af0f3
-
SHA256
a57903249aa1fce3d9c9b07467e8b3bcbf83b9a3020a8694b46f377745d7373f
-
SHA512
cdb602572f31c650672d846b37b4ad281d9267ba1cc32e8fd4e0779160c06b125f90951dd407470353df443b246054bdd62224caff25291f47d08f882e9083d8
-
SSDEEP
49152:6zG1BqCBGJdodXAGRe5CFHRoHgmAZf1Na:DBIKRAGRe5K2UZe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2404 f76c207.exe -
Loads dropped DLL 9 IoCs
pid Process 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe 2780 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2780 2404 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c207.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 2404 f76c207.exe 2404 f76c207.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2404 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 30 PID 2148 wrote to memory of 2404 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 30 PID 2148 wrote to memory of 2404 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 30 PID 2148 wrote to memory of 2404 2148 2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe 30 PID 2404 wrote to memory of 2780 2404 f76c207.exe 33 PID 2404 wrote to memory of 2780 2404 f76c207.exe 33 PID 2404 wrote to memory of 2780 2404 f76c207.exe 33 PID 2404 wrote to memory of 2780 2404 f76c207.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-19_cde6687a708a8d67684eef8fc661227e_hacktools_xiaoba.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76c207.exeC:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\f76c207.exe 2594411592⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 14603⤵
- Loads dropped DLL
- Program crash
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5c3708a13bc12d7bf0abc7055a7047b05
SHA1658be20ac1003a782681a147aea5c19eba2cd361
SHA256c28b8de395db23931245672984ac6259fa9eed54e48d2d5f4a50b87be8430672
SHA51282602969271e2d354aa009a67f92fc5498a0c760563bac8bec48ec1423ca5ec8cfc5e5e1b4fd324dea302590194b12301a639a8984af6a42a90a3f0d83d0cb58