Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

xdwd.exe

windows7-x64

10

xdwd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2024, 18:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xdwd.exe

  • Size

    25KB

  • MD5

    aae04417cc07c39988d4fbe0e85fc9bd

  • SHA1

    2d51b49f8f1faeba674dd0993911e8f65b4d2258

  • SHA256

    f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d

  • SHA512

    53cc6468da9be1f4a3cc3089b1ed6a7544eb5cc5f91ae8dc1390688ffe10ad9aff1df224a5cd936276440ee95cb4afcaec7cf4f63332297864179c3266560dfb

  • SSDEEP

    384:EB+Sbj6NKIPw6LZhAHt2vTh34EnWb5j4kDhlzCTJEUmNYEYQro3lcOjsjr:CpI46Lnwt4aE+RHtN8oj

Score
10/10
limeratxmrigdiscoveryminerratupx

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    1337

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/rACMKa5f

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    xdwd.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \xdwd\

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Limerat family
    limerat
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xdwd.exe
    "C:\Users\Admin\AppData\Local\Temp\xdwd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3020
    • C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe
      "C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\Regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\Regasm.exe" -B --donate-level=0 -t 8 -a cryptonight --url= -u -p -R --variant=-1 --max-cpu-usage=90
        3⤵
          PID:2328

    Network

    • flag-us
      DNS
      pastebin.com
      Remote address:
      8.8.8.8:53
      Request
      pastebin.com
      IN A
      Response
      pastebin.com
      IN A
      104.20.3.235
      pastebin.com
      IN A
      172.67.19.24
      pastebin.com
      IN A
      104.20.4.235
    • 104.20.3.235:443
      pastebin.com
      tls
      799 B
       5.4kB
       10
      10
    • 89.23.100.155:1337
      19.0kB
       985.3kB
       390
      725
    • 8.8.8.8:53
      pastebin.com
      dns
      58 B
       106 B
       1
      1

      DNS Request

      pastebin.com

      DNS Response

      104.20.3.235
      172.67.19.24
      104.20.4.235

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\xdwd\xdwd.exe
      Filesize

      25KB

      MD5

      aae04417cc07c39988d4fbe0e85fc9bd

      SHA1

      2d51b49f8f1faeba674dd0993911e8f65b4d2258

      SHA256

      f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d

      SHA512

      53cc6468da9be1f4a3cc3089b1ed6a7544eb5cc5f91ae8dc1390688ffe10ad9aff1df224a5cd936276440ee95cb4afcaec7cf4f63332297864179c3266560dfb

      Download Submit

    • memory/2172-15-0x0000000074300000-0x00000000749EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2172-1-0x0000000000160000-0x000000000016C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2172-11-0x0000000074300000-0x00000000749EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2172-0-0x000000007430E000-0x000000007430F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2328-28-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-29-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-21-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-25-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-23-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-31-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-30-0x0000000000400000-0x0000000000586000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2328-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3032-18-0x0000000074300000-0x00000000749EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3032-20-0x0000000005870000-0x00000000058EE000-memory.dmp

      Filesize

      504KB

      Download

    • memory/3032-13-0x0000000074300000-0x00000000749EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3032-19-0x0000000000740000-0x000000000074C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3032-14-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3032-17-0x0000000074300000-0x00000000749EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3032-16-0x0000000074300000-0x00000000749EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3032-32-0x0000000000BC0000-0x0000000000BDE000-memory.dmp

      Filesize

      120KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.