Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2575df47e8...2f.exe

windows7-x64

10

2575df47e8...2f.exe

windows10-2004-x64

7

qmhzftyxd.exe

windows7-x64

1

qmhzftyxd.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe

  • Size

    244KB

  • MD5

    ab56d27ab05f380a166ee2b9409a759b

  • SHA1

    8fbda847f0969523042a9e9a0e1b2ce36e81d749

  • SHA256

    2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f

  • SHA512

    6d824d2b1fc82298fe4b6d5bf735f3c88c272ed42134396a398481157812e1cd706ad915da4a7e64c7941e1898bbb0c8cf6c92602dd976618c270602e4a4a334

  • SSDEEP

    6144:rGiK7P9Xjv4UPOth6tT+fzQrEdGUzlAsLRvDkE73Fb5iptZx9s:81XjO76Z+srE0URAkv7Gpt9s

Score
10/10
xloaderrbrtdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rbrt

Decoy

murphypowder.com

roof.rentals

portalcidadaniaitaliana.com

rosettbeloof.quest

topup.website

flinorease.com

snakncity.com

megasaldaolu2021.xyz

taichan.xyz

4x4education.com

metaversealive.com

xyzvoip.com

finansresultation.com

camperstales.com

shmckeji.com

cinzakother.quest

wdgjdhpg.com

scottsregalcleaners.com

azaz2.xyz

nate.sbs

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe
      "C:\Users\Admin\AppData\Local\Temp\2575df47e8e09da1f99edde3c9533468c1c76e271e354323bb410aab1bd5f02f.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe
        C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe C:\Users\Admin\AppData\Local\Temp\glbqxojq
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe
          C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe C:\Users\Admin\AppData\Local\Temp\glbqxojq
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2972
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\qmhzftyxd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\glbqxojq
    Filesize

    5KB

    MD5

    a05365ae52c2863aa47547876aa4ae23

    SHA1

    f071ee6d06061cdfd28b82ea612bf2b1bd8ecd5d

    SHA256

    b142c2076a679b9791de2c75d60d91bf512d4d9f9c8b0f899d987bcef5e3dafa

    SHA512

    d83ea7645c2d0b83a87d22d4b97347fd6712c09f6e7dcd1d5d51f02180a853b0344a33ae7555c9ebdeaf9d7c33537359cfe7fd914e4b66eaa5e3b8ff15febca5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\y2c2ak3s9hlubx
    Filesize

    213KB

    MD5

    818c4223b9c6ff05e4a17af7ada350e7

    SHA1

    6cc9c97f1cdf5d7c256aa282bcc5d0b86062f4f6

    SHA256

    33e828e872dce5bafb41e635644ce13b17cba1ed2502412b6ca0a27b9367c44b

    SHA512

    a1e967a070087c423238022ed745b73b09499c46da3d0c6bf4e404c67adbd8e68550a641d08eaff284d1300f86bb49bc7a9c3a6aa6cf68c0ddea2fddeb37584a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\qmhzftyxd.exe
    Filesize

    4KB

    MD5

    2281c1ed86f831c1fe3e0e9605f27b67

    SHA1

    492dce2fdc0859857277e4a4ac3b9bd6eb3cf966

    SHA256

    f7396efdcbc39e94a112ca8086d845b52ecbd9195516c9c9eff55491eee9f664

    SHA512

    be68d2f3eaa905172ebfc325320d86143ea84f31791b348a9e3b7004d3b2dc4c499f7d5e0f19419ae2d7be0d9277ea69876784214480dca120240abbe60ddc36

    Download Submit

  • memory/1204-17-0x0000000004AA0000-0x0000000004BB2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1204-23-0x0000000004AA0000-0x0000000004BB2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2140-9-0x0000000000230000-0x0000000000232000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2972-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2972-15-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2976-21-0x00000000007E0000-0x00000000007FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2976-20-0x00000000007E0000-0x00000000007FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2976-22-0x00000000000C0000-0x00000000000E9000-memory.dmp

    Filesize

    164KB

    Download