Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SHIPPING D...BL.exe

windows7-x64

10

SHIPPING D...BL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOC CICOOPLBL.exe

  • Size

    471KB

  • MD5

    73eb22341ce8fcc60593432d2d37c872

  • SHA1

    9aad11376e92a7b87ae2296e1c146ef88e2b3e15

  • SHA256

    985c930f9f983d8ec93977335ebff73b477d7aaa678c163be58714525fb9f273

  • SHA512

    d8735d3a85a992a5e14fcfc4fa6df9b2eed7039c118cfb6536e1242b9b995b1924b97d1ad16b7f90dd692d0d06f1f262fb0828e45558d8d4ce73bc89ff72911e

  • SSDEEP

    6144:g34P86jIlgv5aK9rj5vVFfAb04v+M4/Vf9fkhqx4YYAdCSjtDU/5hL5WwHPc+nfe:eYd9rjB14v4//f13RcatDAL5Wwv9f6u

Score
10/10
xloaderxftsdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

xfts

Decoy

dailiesplatform.com

krlanka.com

koms.info

chesslearner.com

softwarefully.com

yogiplayground.com

learhee.com

faithbook.info

pepperrefo.com

kratochvil-elektro.com

artbyg2.com

123-e.com

levelupyourbody.info

ecommercebusinessowner.com

floraseriestrilogy.com

sdyykt.com

swchof.com

huaxinhui.tech

sems-iress2016.com

vasudhalibrary.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe
        "{path}"
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2888
      • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/432-13-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/432-7-0x0000000000690000-0x00000000006C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/432-2-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/432-3-0x0000000000410000-0x0000000000418000-memory.dmp

    Filesize

    32KB

    Download

  • memory/432-4-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/432-5-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/432-6-0x0000000005C50000-0x0000000005CD2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/432-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/432-1-0x0000000000B30000-0x0000000000BAC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1364-24-0x00000000068C0000-0x0000000006A06000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1364-23-0x0000000007330000-0x000000000747E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1364-19-0x00000000068C0000-0x0000000006A06000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1364-28-0x0000000007330000-0x000000000747E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1364-18-0x0000000004C40000-0x0000000004D40000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2804-26-0x00000000002D0000-0x00000000002E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2804-25-0x00000000002D0000-0x00000000002E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2804-27-0x00000000000D0000-0x00000000000F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2892-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2892-21-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2892-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2892-17-0x0000000000190000-0x00000000001A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2892-22-0x00000000002E0000-0x00000000002F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2892-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2892-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-14-0x0000000000BB0000-0x0000000000EB3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2892-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.