Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
xuhsbsshb.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
xuhsbsshb.exe
Resource
win10v2004-20240802-en
General
-
Target
916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
-
Size
307KB
-
MD5
28f2c3e63f1fd1357d2cfe72869b53c0
-
SHA1
173d8ff1943f864ea06ef27921ed0e5e2216666f
-
SHA256
916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecde
-
SHA512
c1fe8d6e948521b9d30e4275031b1ff2a2ffb4ff5bd1b0214e631cc4efe3e2613d3edd27c437329edce64f09c35721cc132604c9c2631f2c0269c7ad7a9d9994
-
SSDEEP
6144:RNeZbN827N5wptBh8EF6+ofNxn1g50EG8Y0lWNe7I+4auF9PX:RNONvJ+ptBCU6++gr86I+69PX
Malware Config
Extracted
xloader
2.5
op53
salamdiab.com
pysznepay.com
braktonem.quest
z5jgazn.xyz
jungleking.online
for2play.com
organizedkay.com
bitsgifts.com
autobras.online
paghosting.net
waltersswholesale.com
seculardata.com
hsa-attorneys.com
genyuandl.com
metalcorpperu.com
jasbellyfusion.com
weddingtowifepodcast.com
69xibao.xyz
dsp-energe.com
jantfencingandsheds.com
neurosise.com
equito.agency
drivelingo.com
cpybc.com
xcybook.com
accountingsoftwaresusweb.com
balatonartcenter.com
aaronlala.store
fourcrestaurant.com
024labs.com
mypartners-april-investors.com
979511.com
curatedcraze.com
mokkaoffice.com
jlhvz.com
longlastingoil.com
moniqueroerdink.online
nowosee.com
tinturas-plantas.com
gbnagkvr.xyz
chrisdaughtryfans.com
trinsity-solsar.com
xn--80ajy8a.xn--80asehdb
metaverseloot.club
certipsy.com
bez-part-ufa.xyz
cq396.com
blantontransport.com
liberatoreshepherds.com
arcade24d.biz
thehelloloveshop.com
cindercapacitacion.com
garageair.agency
wakasenninshikirenaitechnic.com
aleksandartaskov.com
oakiedokies.com
xfdtiz.xyz
tecnophone.net
bctransporter.net
deluxeinterior.design
futureoneafrica.tv
uniquesi.com
novregen.com
macadamangel.com
detentionart.com
Signatures
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/3012-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3012-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2740-21-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
pid Process 2808 xuhsbsshb.exe 3012 xuhsbsshb.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe 2808 xuhsbsshb.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2808 set thread context of 3012 2808 xuhsbsshb.exe 31 PID 3012 set thread context of 1192 3012 xuhsbsshb.exe 21 PID 2740 set thread context of 1192 2740 control.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xuhsbsshb.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3012 xuhsbsshb.exe 3012 xuhsbsshb.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe 2740 control.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3012 xuhsbsshb.exe 3012 xuhsbsshb.exe 3012 xuhsbsshb.exe 2740 control.exe 2740 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3012 xuhsbsshb.exe Token: SeDebugPrivilege 2740 control.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2808 2692 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe 30 PID 2692 wrote to memory of 2808 2692 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe 30 PID 2692 wrote to memory of 2808 2692 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe 30 PID 2692 wrote to memory of 2808 2692 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe 30 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 2808 wrote to memory of 3012 2808 xuhsbsshb.exe 31 PID 1192 wrote to memory of 2740 1192 Explorer.EXE 32 PID 1192 wrote to memory of 2740 1192 Explorer.EXE 32 PID 1192 wrote to memory of 2740 1192 Explorer.EXE 32 PID 1192 wrote to memory of 2740 1192 Explorer.EXE 32 PID 2740 wrote to memory of 2584 2740 control.exe 33 PID 2740 wrote to memory of 2584 2740 control.exe 33 PID 2740 wrote to memory of 2584 2740 control.exe 33 PID 2740 wrote to memory of 2584 2740 control.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe"C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exeC:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exeC:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD546ff5a0f2ac2424921fd161e8497dd6a
SHA10086ed96bc8f03dd77eba02e5669fe1c54f90d79
SHA256e8ccd88569cf6f25118135c988a15b8deab2bb3789537182219c41a33b08654b
SHA512dad931f448fa198e666ea3d39d7941b0a385f64c67a2a1a5533ae6f3a0b199b3cd47dd622d3029b7e338a1f2ede917db58b3d9eb481474e5e47566775c3756b1
-
Filesize
4KB
MD594cdc5fa8c30e1c1d361a4d7deb9b3ca
SHA1c1c7316895f5aa5cd5b51ef876056dbcb0814632
SHA256e6f2622adb08b89a002a501a6c6615291eec326f6233a57152545fa3afa2a856
SHA512dc7edda3e1f9e4947c9da0f6f63ffe46865d2f9225e2cca36c2292b8710610da2417e1067fde99fffd110012965fe7eda75fc7f8e662edb3e4c0a8c387ef8d7c
-
Filesize
4KB
MD5daa39e25fb5b25bd1e42408efdac928f
SHA1665426ddf94268322d180128a92ddb2f45b1d3b8
SHA2567e5a0ec65f4c96a6b8de07c341282da8777fc45f4976e415f1738fa165d0a272
SHA51242cae6cc93a923965a65b70c68a46e63246d5af0175cbf7e4fc33ecf8d5bd2ffc1395c4237411292136daf36ebf132567cfa2f6dc2a7ec7d33d482cee2cb4903