Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

RFI von Ae...90.exe

windows7-x64

10

RFI von Ae...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFI von Aeris Impulsmoebel _RFI-9090.exe

  • Size

    769KB

  • MD5

    ad35195080aaf247005d6ecab3f8db72

  • SHA1

    1d4368b26588323743b5de77995260b2a08d3eab

  • SHA256

    895f390d56ade378e72f343465d78ed3f3f98ab04a3fb3e2e2616184e566b6c5

  • SHA512

    4f8deae3bb1f2c3253583cfb932a545097913aab555b498afc4225a5361d76ea2a704f4fecfcde8d44c0d79129d530d06211a974008ffaba372e738ec1b2215a

  • SSDEEP

    24576:ckygsXzLhX0ab8kLDnyQCjVBW6Ymh6WPa:MFXXV0ab8kXnyQCjrRYg6W

Score
10/10
xloaderwitqdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

witq

Decoy

cryptohavenpro.com

zildan.com

buyexcessinventory.com

telecluber.com

whhsdzyl.com

regionalkistel.com

ksusalinabookstore.com

firsttimergears.com

rzpsca.com

sakura-syoukai-t.com

zgvmeiti.com

99000444.com

kerisjatifurniture.com

photoparty.pro

monarchinvestiment.com

hkgjtrade.com

catholicsinglestv.com

nvtdigital.com

mariimportados.com

01mpt.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\RFI von Aeris Impulsmoebel _RFI-9090.exe
      "C:\Users\Admin\AppData\Local\Temp\RFI von Aeris Impulsmoebel _RFI-9090.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\RmClient.exe
        "C:\Windows\SysWOW64\RmClient.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\RmClient.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-16-0x0000000004AA0000-0x0000000004C34000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1184-22-0x0000000004AA0000-0x0000000004C34000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1184-15-0x0000000004060000-0x0000000004260000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2136-1-0x0000000000060000-0x0000000000126000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2136-2-0x0000000004240000-0x00000000042F8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2136-3-0x0000000000540000-0x000000000055A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2136-4-0x00000000744B0000-0x0000000074B9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2136-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2136-17-0x00000000744B0000-0x0000000074B9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2736-5-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2736-11-0x0000000000A10000-0x0000000000D13000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2736-14-0x0000000000200000-0x0000000000211000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2736-13-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2736-7-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2736-10-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2736-6-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2736-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-18-0x0000000000090000-0x00000000000B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3008-20-0x0000000000090000-0x00000000000B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3008-21-0x0000000000230000-0x0000000000259000-memory.dmp

    Filesize

    164KB

    Download