Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
Inv.80967568.Scan.pdf.....exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Inv.80967568.Scan.pdf.....exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/blgyqihyvgd.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/blgyqihyvgd.dll
Resource
win10v2004-20241007-en
General
-
Target
$PLUGINSDIR/blgyqihyvgd.dll
-
Size
17KB
-
MD5
aff7a15a068a40996bbec6d2f8fe510a
-
SHA1
c05a992dc17306bb507bfa0b5e4d68edd8809c99
-
SHA256
86ec7cf90bd0ca677b897807c5391958e539890822e607a5087035308e527f64
-
SHA512
cda72fff7af615df8a5f407ddde60c013ccb0816a30a32673eefa8973101f87039b95e466078b764298c3890cdbfe6b02dc65a7b7bff3ab81514507bccf139bd
-
SSDEEP
192:YS4GE+5mkk5ZEZjRw2V+HU9bicYp5jRpJN6pKqizHGaPTS2+Qqx316UI14:YTGaZ5Zu9V99GpRX6JiLlTSBQN
Malware Config
Extracted
xloader
2.4
di4c
oscd.store
simplyminiatures.com
famouslovebackbaba.com
turkesteronesupplement.com
most-attractive.com
le-thermoplongeur.com
joydeb.xyz
incomepanther.com
infoterkiinii.xyz
indigocard.website
plasthecnolgy.com
canmamap.com
aviationtrainingworldusa.com
successoffplan.com
desert-breeze.com
nilavarna.com
stanthonyswelfare.com
shezefy.com
shcq08.xyz
spencerpauley.com
breakfastatbrittanys.com
workspace-mex.com
litteratorum.com
illstitute.com
framed-speed.com
buyandsellwithalec.com
xwdnawbx.xyz
mickyyoung.com
bandiu.xyz
planft.store
imaginalworks.com
lid-gb.xyz
ahgongs.com
carrirbuilder.com
neuro-ai-web-online.club
booparade.com
sketchfujitah.online
bayboatnation.com
ink2words.com
modernsolarusa.com
camuci.com
dentonlifetimedentistry.com
1ajpwvkk.icu
hangcheng56.com
suvenifa.com
spacetech-sa.com
emotionevents.xyz
momskitchenassam.com
imyandme.com
premiercattledrenches.com
procard.one
quiestcevin.com
blastofftv.xyz
live2leadinfo.com
jaalifetrx.space
weste-store.store
liquidmelon.restaurant
gjz863.icu
prince-info.com
islandsingle.com
shelazofficial.com
awhjguduahjfsd.com
notariuspublicus24.com
navneetsharma.xyz
dropadsmedia.com
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral3/memory/792-3-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/792-8-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2364-13-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 396 set thread context of 792 396 rundll32.exe 32 PID 792 set thread context of 1176 792 rundll32.exe 21 PID 2364 set thread context of 1176 2364 netsh.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 792 rundll32.exe 792 rundll32.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe 2364 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 2364 netsh.exe 2364 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 792 rundll32.exe Token: SeDebugPrivilege 2364 netsh.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 2520 wrote to memory of 396 2520 rundll32.exe 31 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 396 wrote to memory of 792 396 rundll32.exe 32 PID 1176 wrote to memory of 2364 1176 Explorer.EXE 33 PID 1176 wrote to memory of 2364 1176 Explorer.EXE 33 PID 1176 wrote to memory of 2364 1176 Explorer.EXE 33 PID 1176 wrote to memory of 2364 1176 Explorer.EXE 33 PID 2364 wrote to memory of 2100 2364 netsh.exe 34 PID 2364 wrote to memory of 2100 2364 netsh.exe 34 PID 2364 wrote to memory of 2100 2364 netsh.exe 34 PID 2364 wrote to memory of 2100 2364 netsh.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blgyqihyvgd.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blgyqihyvgd.dll,#13⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blgyqihyvgd.dll,#14⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\rundll32.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-