Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 01:29 UTC

General

  • Target

    140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe

  • Size

    192KB

  • MD5

    a43025a136bcc6af701054ed51ad8adb

  • SHA1

    547032f4afb1cb3b6970ba5a64234d20e815a3a4

  • SHA256

    140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117

  • SHA512

    e6c9bd2cf29cffb3d318664a9525d6d56767d4ec482b6f38861b1f01d222a73228f4e70bc12b45f700eb37513a32d64616edf09e8b4df349e9a0aa36c7fe3f81

  • SSDEEP

    3072:l1NjcVVnLpPuqbJzk9y/Nsso8vTUa6wySNSCV1sPvhDbQh2k4hPwn0gSimGZ6P5u:HNeZFhbEaeSN91sP9baS+npwIn2nyR7

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

3e9r

Decoy

143411.com

300dh.xyz

win-chance.info

essentialsofbeauty.com

skategrindingwheels.com

jyqtgg.com

exodijuis.com

goodwinpuppies.com

doitlive.online

hello-orchid.com

shangjibbs.com

innovarecic.com

fococomunicacaovisuales.com

completemarine.care

parodistluxuryroll.com

anda568.com

unicorm.digital

weaveapp.xyz

artractions.com

app-ads-network.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
      "C:\Users\Admin\AppData\Local\Temp\140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Temp\rxyzg.exe
        C:\Users\Admin\AppData\Local\Temp\rxyzg.exe C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Users\Admin\AppData\Local\Temp\rxyzg.exe
          C:\Users\Admin\AppData\Local\Temp\rxyzg.exe C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1440
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\rxyzg.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2824
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2316

Network

  • flag-us
    DNS
    www.empiredigitalcbdstore.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    www.empiredigitalcbdstore.com
    IN A
    Response
    www.empiredigitalcbdstore.com
    IN CNAME
    empiredigitalcbdstore.com
    empiredigitalcbdstore.com
    IN A
    208.109.50.40
  • flag-us
    DNS
    www.empiredigitalcbdstore.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    www.empiredigitalcbdstore.com
    IN A
    Response
    www.empiredigitalcbdstore.com
    IN CNAME
    empiredigitalcbdstore.com
    empiredigitalcbdstore.com
    IN A
    208.109.50.40
  • flag-us
    DNS
    www.securityfirstlt.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.securityfirstlt.com
    IN A
    Response
  • flag-us
    DNS
    www.fococomunicacaovisuales.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.fococomunicacaovisuales.com
    IN A
    Response
  • flag-us
    DNS
    www.hello-orchid.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.hello-orchid.com
    IN A
    Response
    www.hello-orchid.com
    IN CNAME
    hello-orchid.com
    hello-orchid.com
    IN A
    141.193.213.11
    hello-orchid.com
    IN A
    141.193.213.10
  • flag-us
    GET
    http://www.hello-orchid.com/3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz
    Explorer.EXE
    Remote address:
    141.193.213.11:80
    Request
    GET /3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz HTTP/1.1
    Host: www.hello-orchid.com
    Connection: close
    Response
    HTTP/1.1 409 Conflict
    Date: Tue, 24 Sep 2024 01:30:59 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 16
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 8c7f032b3db206b2-LHR
  • flag-us
    DNS
    www.divinehuntbegins.net
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.divinehuntbegins.net
    IN A
    Response
  • flag-us
    DNS
    www.okbruv.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.okbruv.com
    IN A
    Response
  • flag-us
    DNS
    www.drone-rullime.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.drone-rullime.com
    IN A
    Response
  • flag-us
    DNS
    www.app-ads-network.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.app-ads-network.com
    IN A
    Response
  • flag-us
    DNS
    www.bhadrakalisandhya.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.bhadrakalisandhya.com
    IN A
    Response
  • flag-us
    DNS
    www.anda568.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.anda568.com
    IN A
    Response
  • flag-us
    DNS
    www.unicorm.digital
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.unicorm.digital
    IN A
    Response
  • flag-us
    DNS
    www.parodistluxuryroll.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.parodistluxuryroll.com
    IN A
    Response
  • flag-us
    DNS
    www.upgown.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.upgown.com
    IN A
    Response
  • flag-us
    DNS
    www.weaveapp.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.weaveapp.xyz
    IN A
    Response
    www.weaveapp.xyz
    IN A
    72.52.179.175
  • flag-us
    GET
    http://www.weaveapp.xyz/3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz
    Explorer.EXE
    Remote address:
    72.52.179.175:80
    Request
    GET /3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz HTTP/1.1
    Host: www.weaveapp.xyz
    Connection: close
  • flag-us
    DNS
    www.iuckychance.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.iuckychance.com
    IN A
    Response
    www.iuckychance.com
    IN A
    103.224.182.242
  • flag-us
    GET
    http://www.iuckychance.com/3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz
    Explorer.EXE
    Remote address:
    103.224.182.242:80
    Request
    GET /3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz HTTP/1.1
    Host: www.iuckychance.com
    Connection: close
    Response
    HTTP/1.1 200 OK
    date: Tue, 24 Sep 2024 01:32:08 GMT
    server: Apache
    set-cookie: __tad=1727141528.7427806; expires=Fri, 22-Sep-2034 01:32:08 GMT; Max-Age=315360000
    vary: Accept-Encoding
    content-length: 1336
    content-type: text/html; charset=UTF-8
    connection: close
  • flag-us
    DNS
    www.fandenacqua.quest
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.fandenacqua.quest
    IN A
    Response
  • flag-us
    DNS
    www.exodijuis.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.exodijuis.com
    IN A
    Response
  • flag-us
    DNS
    www.doitlive.online
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.doitlive.online
    IN A
    Response
    www.doitlive.online
    IN A
    66.96.162.136
  • flag-us
    GET
    http://www.doitlive.online/3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp
    Explorer.EXE
    Remote address:
    66.96.162.136:80
    Request
    GET /3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp HTTP/1.1
    Host: www.doitlive.online
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 24 Sep 2024 01:32:26 GMT
    Content-Type: text/html
    Content-Length: 867
    Connection: close
    Server: Apache
    Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
    Accept-Ranges: bytes
    Age: 1
  • flag-us
    DNS
    www.amarbakers.online
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.amarbakers.online
    IN A
    Response
  • 208.109.50.40:80
    www.empiredigitalcbdstore.com
    Explorer.EXE
    152 B
    3
  • 208.109.50.40:80
    www.empiredigitalcbdstore.com
    rundll32.exe
    152 B
    3
  • 141.193.213.11:80
    http://www.hello-orchid.com/3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz
    http
    Explorer.EXE
    395 B
    618 B
    5
    5

    HTTP Request

    GET http://www.hello-orchid.com/3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz

    HTTP Response

    409
  • 72.52.179.175:80
    http://www.weaveapp.xyz/3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz
    http
    Explorer.EXE
    391 B
    172 B
    5
    4

    HTTP Request

    GET http://www.weaveapp.xyz/3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz
  • 103.224.182.242:80
    http://www.iuckychance.com/3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz
    http
    Explorer.EXE
    440 B
    1.8kB
    6
    5

    HTTP Request

    GET http://www.iuckychance.com/3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz

    HTTP Response

    200
  • 66.96.162.136:80
    http://www.doitlive.online/3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp
    http
    Explorer.EXE
    397 B
    1.3kB
    5
    5

    HTTP Request

    GET http://www.doitlive.online/3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp

    HTTP Response

    404
  • 8.8.8.8:53
    www.empiredigitalcbdstore.com
    dns
    rundll32.exe
    75 B
    105 B
    1
    1

    DNS Request

    www.empiredigitalcbdstore.com

    DNS Response

    208.109.50.40

  • 8.8.8.8:53
    www.empiredigitalcbdstore.com
    dns
    rundll32.exe
    75 B
    105 B
    1
    1

    DNS Request

    www.empiredigitalcbdstore.com

    DNS Response

    208.109.50.40

  • 8.8.8.8:53
    www.securityfirstlt.com
    dns
    Explorer.EXE
    69 B
    142 B
    1
    1

    DNS Request

    www.securityfirstlt.com

  • 8.8.8.8:53
    www.fococomunicacaovisuales.com
    dns
    Explorer.EXE
    77 B
    150 B
    1
    1

    DNS Request

    www.fococomunicacaovisuales.com

  • 8.8.8.8:53
    www.hello-orchid.com
    dns
    Explorer.EXE
    66 B
    112 B
    1
    1

    DNS Request

    www.hello-orchid.com

    DNS Response

    141.193.213.11
    141.193.213.10

  • 8.8.8.8:53
    www.divinehuntbegins.net
    dns
    Explorer.EXE
    70 B
    143 B
    1
    1

    DNS Request

    www.divinehuntbegins.net

  • 8.8.8.8:53
    www.okbruv.com
    dns
    Explorer.EXE
    60 B
    133 B
    1
    1

    DNS Request

    www.okbruv.com

  • 8.8.8.8:53
    www.drone-rullime.com
    dns
    Explorer.EXE
    67 B
    140 B
    1
    1

    DNS Request

    www.drone-rullime.com

  • 8.8.8.8:53
    www.app-ads-network.com
    dns
    Explorer.EXE
    69 B
    142 B
    1
    1

    DNS Request

    www.app-ads-network.com

  • 8.8.8.8:53
    www.bhadrakalisandhya.com
    dns
    Explorer.EXE
    71 B
    144 B
    1
    1

    DNS Request

    www.bhadrakalisandhya.com

  • 8.8.8.8:53
    www.anda568.com
    dns
    Explorer.EXE
    61 B
    134 B
    1
    1

    DNS Request

    www.anda568.com

  • 8.8.8.8:53
    www.unicorm.digital
    dns
    Explorer.EXE
    65 B
    133 B
    1
    1

    DNS Request

    www.unicorm.digital

  • 8.8.8.8:53
    www.parodistluxuryroll.com
    dns
    Explorer.EXE
    72 B
    145 B
    1
    1

    DNS Request

    www.parodistluxuryroll.com

  • 8.8.8.8:53
    www.upgown.com
    dns
    Explorer.EXE
    60 B
    133 B
    1
    1

    DNS Request

    www.upgown.com

  • 8.8.8.8:53
    www.weaveapp.xyz
    dns
    Explorer.EXE
    62 B
    78 B
    1
    1

    DNS Request

    www.weaveapp.xyz

    DNS Response

    72.52.179.175

  • 8.8.8.8:53
    www.iuckychance.com
    dns
    Explorer.EXE
    65 B
    81 B
    1
    1

    DNS Request

    www.iuckychance.com

    DNS Response

    103.224.182.242

  • 8.8.8.8:53
    www.fandenacqua.quest
    dns
    Explorer.EXE
    67 B
    132 B
    1
    1

    DNS Request

    www.fandenacqua.quest

  • 8.8.8.8:53
    www.exodijuis.com
    dns
    Explorer.EXE
    63 B
    136 B
    1
    1

    DNS Request

    www.exodijuis.com

  • 8.8.8.8:53
    www.doitlive.online
    dns
    Explorer.EXE
    65 B
    81 B
    1
    1

    DNS Request

    www.doitlive.online

    DNS Response

    66.96.162.136

  • 8.8.8.8:53
    www.amarbakers.online
    dns
    Explorer.EXE
    67 B
    132 B
    1
    1

    DNS Request

    www.amarbakers.online

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8u7tt4ey32b

    Filesize

    163KB

    MD5

    4b647b9910011c7dcb6efcdf177f4c4a

    SHA1

    cf59b74c1bec81062866e3327bf057fdbadd8eab

    SHA256

    09bdf441425a65d105404065b4feaa4c231a7d5ea21bf9b3b832c30ed6ee053e

    SHA512

    5fece077b9fb7b1fe1646e0a31a6cc5ec246dcb13229caac5838c1ef277eef4cee5ba2b2d013c37eeab7d55ba8d38c92c9684a05b63456b93104a37302c4c234

  • C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx

    Filesize

    4KB

    MD5

    2ce8643c23d1bc7f420bdde0683c28ee

    SHA1

    c84271354bceeededc251467eae7cab0f2c3636c

    SHA256

    c4c7b8ac8e31d6d252b19de0bebaf27e31e0c5c2200c9be94eaecfed81db601c

    SHA512

    6319803d938cd42e7f434cfdcf71f547db70d77493d3c5010cb82371d12a156704bf0e554e5d88d7bbe591cb0dd03c7812b0e159ec3e29d2117e560802eb3b63

  • \Users\Admin\AppData\Local\Temp\rxyzg.exe

    Filesize

    3KB

    MD5

    64d3f2b2a7c95bc7051051fe34620dc3

    SHA1

    1a089f830583bca8aae69330a9e4946bbe03fb4f

    SHA256

    d1595a226a32172f214ff69b964281ef663079b6467cffa98edc6064a9f69ab6

    SHA512

    af6b303b98765034f886e8bc9889f829a0265bde7559b9e738ff310be6747be083c377fecc76a007d2f464907bff80c6acfc90abf7f46a1408438554a01bff7e

  • memory/1252-25-0x0000000005710000-0x00000000057D2000-memory.dmp

    Filesize

    776KB

  • memory/1252-28-0x0000000006FF0000-0x00000000070FD000-memory.dmp

    Filesize

    1.1MB

  • memory/1252-27-0x0000000004070000-0x0000000004170000-memory.dmp

    Filesize

    1024KB

  • memory/1252-17-0x0000000005710000-0x00000000057D2000-memory.dmp

    Filesize

    776KB

  • memory/1440-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1440-15-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2316-41-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2316-42-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2316-44-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2380-11-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

  • memory/2796-21-0x0000000000120000-0x000000000012E000-memory.dmp

    Filesize

    56KB

  • memory/2796-23-0x0000000000120000-0x000000000012E000-memory.dmp

    Filesize

    56KB

  • memory/2796-24-0x00000000000D0000-0x00000000000F9000-memory.dmp

    Filesize

    164KB

  • memory/2796-20-0x0000000000120000-0x000000000012E000-memory.dmp

    Filesize

    56KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.