Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/12/2024, 01:36 UTC
General
-
Target
788523e08316e2eebb7495d875fff849ceb5a52932b24bd4fa1fd0702a885971.exe
-
Size
420KB
-
MD5
181183e03d22f28ab11be4fea8a2f4f8
-
SHA1
ce1bee4f17cf2dc38dc82d75b625ed1a0b58c72c
-
SHA256
788523e08316e2eebb7495d875fff849ceb5a52932b24bd4fa1fd0702a885971
-
SHA512
10064d5d443ac10f874f5294d34f6ce6ce5d2d352c89b344587c197a3479df24827966ee00fd6194da67caefd7e1f67a5d8a7a0f121c64abbb82e71bbfba85ee
-
SSDEEP
6144:4+9hS3kbFRQqzfz7qeEzDSZbFm2A2g2McTrDLKmc:XMkHzfz77b62McTOmc
Malware Config
Extracted
xtremerat
sam-of.myq-see.com
Desktopsam-of.publicvm.com
Signatures
-
Detect XtremeRAT payload 4 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\788523e08316e2eebb7495d875fff849ceb5a52932b24bd4fa1fd0702a885971.exe"C:\Users\Admin\AppData\Local\Temp\788523e08316e2eebb7495d875fff849ceb5a52932b24bd4fa1fd0702a885971.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
-
DNSsam-of.myq-see.comRemote address:8.8.8.8:53Requestsam-of.myq-see.comIN AResponsesam-of.myq-see.comIN A208.91.197.132 -
DNSsam-of.myq-see.comRemote address:8.8.8.8:53Requestsam-of.myq-see.comIN AResponsesam-of.myq-see.comIN A208.91.197.132
-
DNSsam-of.publicvm.comRemote address:8.8.8.8:53Requestsam-of.publicvm.comIN AResponsesam-of.publicvm.comIN CNAMEpublicvm.compublicvm.comIN A139.99.66.103
-
208.91.197.132:288sam-of.myq-see.com
-
139.99.66.103:288sam-of.publicvm.com -
208.91.197.132:288sam-of.myq-see.com
-
139.99.66.103:288sam-of.publicvm.com
-
208.91.197.132:288sam-of.myq-see.com
-
139.99.66.103:288sam-of.publicvm.com
-
208.91.197.132:288sam-of.myq-see.com
-
139.99.66.103:288sam-of.publicvm.com
-
208.91.197.132:288sam-of.myq-see.com
-
139.99.66.103:288sam-of.publicvm.com
-
208.91.197.132:288sam-of.myq-see.com
-
8.8.8.8:53sam-of.myq-see.comdns
DNS Request
sam-of.myq-see.com
DNS Request
sam-of.myq-see.com
DNS Response
208.91.197.132
DNS Response
208.91.197.132
-
8.8.8.8:53sam-of.publicvm.comdns
DNS Request
sam-of.publicvm.com
DNS Response
139.99.66.103
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
308KB
-
Filesize
4KB
-
Filesize
308KB
-
Filesize
308KB