Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Comparison...er.exe

windows7-x64

10

Comparison...er.exe

windows10-2004-x64

10

po.exe

windows7-x64

10

po.exe

windows10-2004-x64

10

poo.exe

windows7-x64

10

poo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    po.exe

  • Size

    968KB

  • MD5

    7c8206e11a3f0a3832c65ee22ca21819

  • SHA1

    fb255b2ee75cc76180daddb78c7cf912eb248f06

  • SHA256

    f8cdb91e57d80dd935b4490720b39d75db0443fac602c9d4cdab434aa82a6a43

  • SHA512

    b230d0ebeddb1641a2f63286b8d90d7f7d83b03f5cec4d7433e8463dc22796c9bf657bb487ab7f57221173cd42721b27289dc2e7f8f9817fcd3f6a6968c5bca2

  • SSDEEP

    24576:AyCb02+HEYq7j15AD9UvCVPA/012j1DkdZ:px3HZqdcUS2Jkd

Score
10/10
xloaderi9mediscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

i9me

Decoy

claimbrosprospecting.com

visionnaire.design

russmatsuo.com

phpower.com

themaitregroup.net

perderson.space

signaturewallcoverings.com

mesharifoundation.com

mastjio.com

ngstarshub.com

teamsdialpad.com

handysyed.com

basalgoods.company

miniletics.com

reidasmaquinasdolitoral.com

signsgadsden.com

huigukeji.net

yesonmeasurez.com

rwingbistro.com

xn--90aoahqe0a0f.xn--p1acf

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\po.exe
    "C:\Users\Admin\AppData\Local\Temp\po.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\po.exe
      "C:\Users\Admin\AppData\Local\Temp\po.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 36
        3⤵
        • Program crash
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1684-6-0x0000000005140000-0x00000000051FA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1684-1-0x0000000000DE0000-0x0000000000ED8000-memory.dmp

    Filesize

    992KB

    Download

  • memory/1684-2-0x0000000074920000-0x000000007500E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1684-3-0x00000000004A0000-0x00000000004B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1684-4-0x000000007492E000-0x000000007492F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-5-0x0000000074920000-0x000000007500E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1684-0-0x000000007492E000-0x000000007492F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-7-0x00000000053E0000-0x0000000005458000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1684-14-0x0000000074920000-0x000000007500E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2108-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-13-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2108-10-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2108-8-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download