Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
6480c27577ec4b5412f5869be7688753.exe
Resource
win7-20240903-en
General
-
Target
6480c27577ec4b5412f5869be7688753.exe
-
Size
919KB
-
MD5
6480c27577ec4b5412f5869be7688753
-
SHA1
d47df66a173cdbf3d0edb12811fbbe3279c434aa
-
SHA256
f418beabbb3cb228180b1dbfa41904564d8936f77d01f6529c42d64f31b2d490
-
SHA512
cd5998cd94f8eca2ba9228fe9965f9a88d276af44adcab61f4974e72d6aa8f36f33ba67cd228a2f5dea14875024e170de5317860ad4a21589506de9901b29d33
-
SSDEEP
12288:RjHuWFHmpuSMPQipP5LqGd27mklDUZPh90ey56JCSXLhgVolis9R:RxHIRipBq02LDs+eycnbhZxL
Malware Config
Extracted
xloader
2.3
uqf5
paolograssino.com
hammockcoastproperty.net
blinbins.com
financierapoorvenirsas.com
mattruddle.com
wighumanhair.com
tvdajiang14.com
theblackharvest.com
tylerrucarean.com
a-prime-india-demataccount.zone
amboselisafarigallery.info
toolbnbapp.com
scientificindustrial.com
trainup-wall.com
pocosmo.com
thebluepottingtable.com
leavelogs.com
verbalfreedom.com
qa4i.com
kiiikoo.com
glossedbythebrat.com
gorditasdemaiz.com
healthystartswithin.com
homeanddesignstudio.com
skalewide.com
bestdispatchtowitnesstoday.info
cineconhisense.com
mahibhardwaj.com
imperatrizacam.com
bezoekburen.com
qbakan.com
ansalapishagunrealestate.com
crow94723.com
kosova.one
chhhju.com
cominghomestead.com
ingenious.care
unclesamsoftware.com
xn--cfe12fhb.com
tradinglantern.com
wwwthedrudgereport.com
researchinnovations.net
to-cs.com
sandia.info
tachibana-fukushima.com
pzzfw.com
flockuplabs.com
stays.travel
itertempora.net
murrietayoga.com
plus5tocrafting.com
ovidrelprefilledsyringe.com
prltoday.com
l24consultants.net
mexicobeachselfstorage.com
bnvjufj.icu
schulze.media
thewinebarrel.info
blesst.tech
newtec.life
acmarketinghacks.com
elitevillaholidays.com
pr-daily.com
cgjanvier.com
culturalinterface.net
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral2/memory/404-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/404-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3892-23-0x0000000000920000-0x0000000000949000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3988 set thread context of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 404 set thread context of 3548 404 RegSvcs.exe 56 PID 3892 set thread context of 3548 3892 cscript.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6480c27577ec4b5412f5869be7688753.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3988 6480c27577ec4b5412f5869be7688753.exe 404 RegSvcs.exe 404 RegSvcs.exe 404 RegSvcs.exe 404 RegSvcs.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe 3892 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 404 RegSvcs.exe 404 RegSvcs.exe 404 RegSvcs.exe 3892 cscript.exe 3892 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3988 6480c27577ec4b5412f5869be7688753.exe Token: SeDebugPrivilege 404 RegSvcs.exe Token: SeDebugPrivilege 3892 cscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3988 wrote to memory of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 3988 wrote to memory of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 3988 wrote to memory of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 3988 wrote to memory of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 3988 wrote to memory of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 3988 wrote to memory of 404 3988 6480c27577ec4b5412f5869be7688753.exe 91 PID 3548 wrote to memory of 3892 3548 Explorer.EXE 92 PID 3548 wrote to memory of 3892 3548 Explorer.EXE 92 PID 3548 wrote to memory of 3892 3548 Explorer.EXE 92 PID 3892 wrote to memory of 2332 3892 cscript.exe 93 PID 3892 wrote to memory of 2332 3892 cscript.exe 93 PID 3892 wrote to memory of 2332 3892 cscript.exe 93
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\6480c27577ec4b5412f5869be7688753.exe"C:\Users\Admin\AppData\Local\Temp\6480c27577ec4b5412f5869be7688753.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-