Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 22:31
Static task
static1
Behavioral task
behavioral1
Sample
Final Drawing.exe
Resource
win7-20240729-en
General
-
Target
Final Drawing.exe
-
Size
1.0MB
-
MD5
bd8bbf1a258bc5708d360f819847b4f0
-
SHA1
0176aa8eac594513683dcbf3d691db721d13191b
-
SHA256
c15d8e554b95d2cca4c40e230109410825ca0547a6ce1ab153840f74206ac54b
-
SHA512
3bd8c706e5dd66d7ef5b514b4318d1c0de29d20a93405c40e572ba33be8b906ef4252b37aa127d103c9f447ed9cbec764a4332018d1f3406afec512e8c727ae3
-
SSDEEP
24576:gFAqJ/9KBndd5VcUt2y2uy2ZSYMCulEAVzvbu4i2m:OAiQBbc492fUcmwzvbu4G
Malware Config
Extracted
xloader
2.5
c46r
petsfranchising.com
wpemdad.com
psikologtenaysude.com
bamdesserts1.com
sanjin.icu
mtdbooksnow.com
ycyxztjd.com
ref4drive.art
asik-qq.asia
myrecase.com
motherhenretta.com
duoduo163.com
bettercrackers.com
liveluxurylove.com
whitcese.com
pasang-iklan.online
new-transport.com
iumsf.com
svpcraft.com
shortbusfriends.com
playandwin-with-o-tentic.com
arabatas.com
grizzholster.com
uthsch.com
idoocam.com
thakurtohgayo.com
mikiemade.com
khoshmarampack.com
zj-fabric.com
acceptdifferencesco.com
birthcare.online
thejourneyrealtygroup.com
cavallitowerco.com
quinaqua.com
hyggeligservices.com
greaterrevelationministry.com
emberandfawn.com
vikingxlmaleenhancement.com
haslavage.com
mammutsingapore.com
servicedoguseries.com
ncgf01.xyz
gwim.digital
patppizzeria.com
locatortravels.com
vinayagafinefoods.com
webflowusa.com
myhelpstationorlando.com
luckycoolshotz.space
lemindsetwvc.com
hakone-inariya.com
lakeshorereviews.com
citujetrn.quest
goodcallhvac.com
sl-ks.com
truthwatch.club
pega-blog.com
arteasesg.com
w-geoview.com
intentionallydelishdelights.com
once-only.info
calipurenutrition.net
cablewireharnesses.com
brndnxt.com
ashleasellshomes.com
Signatures
-
Xloader family
-
Xloader payload 5 IoCs
resource yara_rule behavioral2/memory/4324-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4324-17-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4324-21-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4524-30-0x00000000001D0000-0x00000000001F9000-memory.dmp xloader behavioral2/memory/4524-32-0x00000000001D0000-0x00000000001F9000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4008 set thread context of 4324 4008 Final Drawing.exe 99 PID 4324 set thread context of 3424 4324 Final Drawing.exe 56 PID 4324 set thread context of 3424 4324 Final Drawing.exe 56 PID 4524 set thread context of 3424 4524 msiexec.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Final Drawing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4324 Final Drawing.exe 4324 Final Drawing.exe 4324 Final Drawing.exe 4324 Final Drawing.exe 4324 Final Drawing.exe 4324 Final Drawing.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe 4524 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4324 Final Drawing.exe 4324 Final Drawing.exe 4324 Final Drawing.exe 4324 Final Drawing.exe 4524 msiexec.exe 4524 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4324 Final Drawing.exe Token: SeDebugPrivilege 4524 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4008 Final Drawing.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4008 Final Drawing.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4008 wrote to memory of 4324 4008 Final Drawing.exe 99 PID 4008 wrote to memory of 4324 4008 Final Drawing.exe 99 PID 4008 wrote to memory of 4324 4008 Final Drawing.exe 99 PID 4008 wrote to memory of 4324 4008 Final Drawing.exe 99 PID 4008 wrote to memory of 4324 4008 Final Drawing.exe 99 PID 4008 wrote to memory of 4324 4008 Final Drawing.exe 99 PID 3424 wrote to memory of 4524 3424 Explorer.EXE 100 PID 3424 wrote to memory of 4524 3424 Explorer.EXE 100 PID 3424 wrote to memory of 4524 3424 Explorer.EXE 100 PID 4524 wrote to memory of 1904 4524 msiexec.exe 101 PID 4524 wrote to memory of 1904 4524 msiexec.exe 101 PID 4524 wrote to memory of 1904 4524 msiexec.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\Final Drawing.exe"C:\Users\Admin\AppData\Local\Temp\Final Drawing.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\Final Drawing.exe"C:\Users\Admin\AppData\Local\Temp\Final Drawing.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Final Drawing.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1904
-
-