Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
znompeu.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
znompeu.exe
Resource
win10v2004-20241007-en
General
-
Target
d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
-
Size
332KB
-
MD5
9572e695a50ea24517e2414010e10b46
-
SHA1
ae079d5e44e8b797dd8c29a9f9fd13d9466bc97a
-
SHA256
d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f
-
SHA512
ed98a7c1dcbc2fdc8ec0baf5b79586340b4e6552ab2026ddfa0efff3c526862baf81b873a6cf14e054219f629bf7609a42d88845949bfb54e49bd399543a57f8
-
SSDEEP
6144:TxD7+ihfubpqe6ZFBwZlt26euWhXlUCU0Ch5dlGBkV8Vd1vBIZLlGs7:4guA1ZFBilIpuKChNV8Vd1MLo+
Malware Config
Extracted
xloader
2.5
yrcy
ordermws-brands.com
jkbswj.com
dairatwsl.com
lewismiddleton.com
hevenorfeed.com
kovogueshop.com
cyberitconsultingz.com
besrbee.com
workerscompfl1.com
wayfinderacu.com
smplkindness.com
servicesitcy.com
babyvv.com
fly-crypto.com
chahuima.com
trist-n.tech
minjia56.com
oded.top
mes-dents-blanches.com
nethunsleather.com
onlinesindh.com
genrage.com
bhalawat.com
5gwirelesszone.com
semejnyjochag.com
shopvintageallure.com
laqueenbeautybar.supplies
hominyprintingmuseum.com
taksimbet13.com
fairytalesinc.com
loversscout.com
nxn-n.com
lovebydarius.store
mintnft.tours
snowjamproductiosmedia.com
boraviajar.website
cryptointelcenter.com
m2momshealth.com
perfectionbyinjection.com
cletechsolutions.com
skin4trade.com
a9d7c19f0282.com
waltersswholesale.com
lendsoar.com
virginialandsforsale.com
shinepatio.com
nba2klocker.team
picturebookoriginals.com
chatteusa.com
bodevolidu.quest
certidaoja.com
scgxjp.com
cbd-cannabis-store.com
kadinisigi.com
vacoveco.com
hostedexchangemaintainces.com
hf59184.com
jingguanfm.com
browsealto.com
kymyra.com
xrgoods.com
dtsddcpj.com
uptimisedmc.com
redsigndesign.com
drmichaelirvine.com
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/2388-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2388-15-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1988-22-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
pid Process 1556 znompeu.exe 2388 znompeu.exe -
Loads dropped DLL 2 IoCs
pid Process 1324 d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe 1556 znompeu.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1556 set thread context of 2388 1556 znompeu.exe 31 PID 2388 set thread context of 1188 2388 znompeu.exe 21 PID 1988 set thread context of 1188 1988 svchost.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znompeu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2388 znompeu.exe 2388 znompeu.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe 1988 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2388 znompeu.exe 2388 znompeu.exe 2388 znompeu.exe 1988 svchost.exe 1988 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2388 znompeu.exe Token: SeDebugPrivilege 1988 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1324 wrote to memory of 1556 1324 d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe 30 PID 1324 wrote to memory of 1556 1324 d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe 30 PID 1324 wrote to memory of 1556 1324 d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe 30 PID 1324 wrote to memory of 1556 1324 d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe 30 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1556 wrote to memory of 2388 1556 znompeu.exe 31 PID 1188 wrote to memory of 1988 1188 Explorer.EXE 32 PID 1188 wrote to memory of 1988 1188 Explorer.EXE 32 PID 1188 wrote to memory of 1988 1188 Explorer.EXE 32 PID 1188 wrote to memory of 1988 1188 Explorer.EXE 32 PID 1988 wrote to memory of 1964 1988 svchost.exe 33 PID 1988 wrote to memory of 1964 1988 svchost.exe 33 PID 1988 wrote to memory of 1964 1988 svchost.exe 33 PID 1988 wrote to memory of 1964 1988 svchost.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe"C:\Users\Admin\AppData\Local\Temp\d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\znompeu.exeC:\Users\Admin\AppData\Local\Temp\znompeu.exe C:\Users\Admin\AppData\Local\Temp\rgavkpxs3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\znompeu.exeC:\Users\Admin\AppData\Local\Temp\znompeu.exe C:\Users\Admin\AppData\Local\Temp\rgavkpxs4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\znompeu.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD521283579ae331b1495ad866408aab9b0
SHA1b2a9cb3e3b30d17c849713e7193404dc9863959d
SHA256f3fa6eb6757fca96cdae8958f8446c9e49527e593031bb32dfccc3ff976fa432
SHA512f8518631b04d00b2c00b45912df2ab8ed44cc31ea2b6afdf075ee1e1b2ff3ef74ec35275a495321dd6746814726b9045e30e8735240d6b9667f7695aff1e73e3
-
Filesize
5KB
MD52af81e6c3061790ce149ffc656096753
SHA1504ca42eb12a22cf770f9fba3a305ca5cbdd2ab2
SHA256584c53db963412e640e1320a4d48fe1904afcc2c735d6ab8e4eb64c74eb0360c
SHA512f7853f4f09e08426953131cd743b154091d413c45c8c09a1c247f9469937963c54f326bb12141decee14a7b05fc70e835733a339dd908549312cce7c1dd7a46f
-
Filesize
222KB
MD509bbca18da135482d44b23c70f9d8568
SHA19edfd59b24069657a2cf6eb35cfe5bed6e3d1fe7
SHA2560013c266aef2611a034268e74cf293cf443b9246ef569c9acf6fadab59a45341
SHA512a743f45e84515ed0965ae25ad1f0ac4a8821899e9292c1b0e6cdea93cb2b7f488a38c2ad8eff668c4170495516145476a232518a4f54ebc1aba557c04b43bf15