Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:45

General

  • Target

    d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe

  • Size

    214KB

  • MD5

    7fcf8cbc72fdf0ad1998b9a3c3e1c5ed

  • SHA1

    f8646738017c782bfc3922fac667098f0e5f6e5d

  • SHA256

    d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475

  • SHA512

    0c737d21b75639381f2c5f276453ad16c82b9687b215d371887d41a7385a97362c5922f40eca0b89029c5be7a87f5e24344d407612f5ca7f29e57b1049599912

  • SSDEEP

    3072:8Lk395hYXJvMCpUkrbzkCL5ChqqBRWgLSR+Bw0MV3uK6OfBsW9XM1IeZ9Mm+qpCg:8Qq++PqXWgLSR4eBKdZv+zLHQp

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

pb93

Decoy

covidlawyersnj.com

zhgxzdh.com

mydomainaccounts.com

uniq.plus

snehapoorvam.com

anj-tradingltd.com

orderinglogin.com

1660688.com

cazconstructionservices.com

yildizwestern.com

futchampionz.com

starbritesmiles.com

viralxch.com

bandmanwiththeheadband.com

teachertechia.net

provenfitness.club

regentpublicity.net

meghaminz.com

mysuperdrink.com

redtomatoes.club

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe
    "C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe
      "C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj2.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • memory/3008-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB