Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 20:45
Static task
static1
Behavioral task
behavioral1
Sample
d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe
-
Size
214KB
-
MD5
7fcf8cbc72fdf0ad1998b9a3c3e1c5ed
-
SHA1
f8646738017c782bfc3922fac667098f0e5f6e5d
-
SHA256
d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475
-
SHA512
0c737d21b75639381f2c5f276453ad16c82b9687b215d371887d41a7385a97362c5922f40eca0b89029c5be7a87f5e24344d407612f5ca7f29e57b1049599912
-
SSDEEP
3072:8Lk395hYXJvMCpUkrbzkCL5ChqqBRWgLSR+Bw0MV3uK6OfBsW9XM1IeZ9Mm+qpCg:8Qq++PqXWgLSR4eBKdZv+zLHQp
Malware Config
Extracted
xloader
2.3
pb93
covidlawyersnj.com
zhgxzdh.com
mydomainaccounts.com
uniq.plus
snehapoorvam.com
anj-tradingltd.com
orderinglogin.com
1660688.com
cazconstructionservices.com
yildizwestern.com
futchampionz.com
starbritesmiles.com
viralxch.com
bandmanwiththeheadband.com
teachertechia.net
provenfitness.club
regentpublicity.net
meghaminz.com
mysuperdrink.com
redtomatoes.club
chicboreal.com
transferpricingautomation.com
konecationsystems.net
takeyourownheadshots.net
zhangzhengxi.com
dgbaisi.com
fanamshoes.com
acuitydemo.net
site123web.com
buddycritic.com
hearthenspeak.com
theslinglife.com
qqoutdoor.com
enablingservices.net
casinofredag.com
kazimark.com
holyskeptic.com
ilovebrowz.com
millevite.com
livrosdigitais.life
blairinsuranceservices.com
stm32heaven.com
wpstarter.tech
shivasonsgroup.com
readingisthenewblack.com
brendanandmary.com
tcgdmold.com
topbrandsport.com
scoolgirl.com
vigorouswillpower-group.com
checkripe.com
aktilestraders.com
criminalwomen.com
blackflexcellencefitness.com
beyondthespills.com
trumbullstudent.com
paralelevrencr.net
mimik33.info
capitaleaseusa.com
24k88cashfish.com
ilikesupersport.com
hairgrowinggenius.com
allianzworldwidepartners.sucks
ahfabhgbhkad24575.com
secured-connected.com
Signatures
-
Xloader family
-
Xloader payload 1 IoCs
resource yara_rule behavioral1/memory/3008-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 2 IoCs
pid Process 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2100 set thread context of 3008 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3008 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3008 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 29 PID 2100 wrote to memory of 3008 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 29 PID 2100 wrote to memory of 3008 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 29 PID 2100 wrote to memory of 3008 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 29 PID 2100 wrote to memory of 3008 2100 d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe"C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe"C:\Users\Admin\AppData\Local\Temp\d3e3e74ae005ecdf559e792e9c26c1b5e26493f85ec256bb98c544b418fa7475.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f