Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

3834eba23e...44.exe

windows7-x64

10

3834eba23e...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3834eba23e5c155db7d8ce3743b34644.exe

  • Size

    3.1MB

  • MD5

    3834eba23e5c155db7d8ce3743b34644

  • SHA1

    3858fd6a8101b2b2368c2daecdce40fd023c48ab

  • SHA256

    3e2b2c3013037c3e4dc0e398cd913d8c0abc6be1ea00049b550c207aeee38ca1

  • SHA512

    75b77971a3b21c536366c51f169e9e47b4e2bd184e87d7e3269868448d1bbe0344cf838cefc27520d374c4a81c334624e979f94943713864d98de7dae8db7ad0

  • SSDEEP

    49152:xbwCbZ7VgixIqt4PAl0N2d5vfKqFLkc2f+qLYTmCAySNR3qCGmdwaeO:xbwEhp4PAl/5KULkvf2SRaCGOwaH

Score
10/10
xenoratdiscoveryevasionratthemidatrojan

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

lokai_je_bruh_1337

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Usermode Disk Driver Host

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3834eba23e5c155db7d8ce3743b34644.exe
    "C:\Users\Admin\AppData\Local\Temp\3834eba23e5c155db7d8ce3743b34644.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Usermode Disk Driver Host" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA24B.tmp" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA24B.tmp
    Filesize

    1KB

    MD5

    4d04b21a0739f3e5546432a982896305

    SHA1

    697b0c340a9ba514e5ce27212b72803ad4fbda66

    SHA256

    d3895546d16426b490f719d2fffe9d3ec15a00c14e5f591c16019f82da1feb01

    SHA512

    9b9dd10e7e5fbf7503f946b9a7c00b905ddc7178e99021596695f68466670832373f056cb094dbdb6ec5111a29ec511f226fa85530d5d7b4122409973ea7bc28

    Download Submit

  • memory/2856-14-0x00000000000D0000-0x000000000091C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2856-9-0x00000000000D0000-0x000000000091C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2856-3-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-4-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-5-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-6-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-7-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-15-0x0000000075F10000-0x0000000075F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-0-0x00000000000D0000-0x000000000091C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2856-10-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-2-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-13-0x00000000000D0000-0x000000000091C000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2856-8-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-16-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-17-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-18-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-1-0x0000000075F10000-0x0000000075F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-21-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-23-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-24-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-25-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2856-26-0x0000000005E00000-0x0000000005E66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2856-27-0x0000000075EF0000-0x0000000075FE0000-memory.dmp

    Filesize

    960KB

    Download