Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10The-MALWAR...ug.exe
windows7-x64
The-MALWAR...le.exe
windows7-x64
3The-MALWAR...an.bat
windows7-x64
1The-MALWAR...Lz.bat
windows7-x64
8The-MALWAR...ou.exe
windows7-x64
1The-MALWAR...MZ.exe
windows7-x64
7The-MALWAR...st.exe
windows7-x64
8The-MALWAR...er.exe
windows7-x64
8The-MALWAR...RC.exe
windows7-x64
8The-MALWAR...er.exe
windows7-x64
3The-MALWAR....a.exe
windows7-x64
The-MALWAR...rk.exe
windows7-x64
9The-MALWAR...an.exe
windows7-x64
The-MALWAR...98.exe
windows7-x64
1The-MALWAR...aj.exe
windows7-x64
7The-MALWAR...jB.exe
windows7-x64
7The-MALWAR...om.exe
windows7-x64
6The-MALWAR...1C.exe
windows7-x64
5The-MALWAR...90.exe
windows7-x64
9The-MALWAR...6a.exe
windows7-x64
9The-MALWAR...it.exe
windows7-x64
1The-MALWAR...m_.eml
windows7-x64
The-MALWAR...ng.exe
windows7-x64
7The-MALWAR....a.exe
windows7-x64
10The-MALWAR...1A.exe
windows7-x64
8The-MALWAR...as.exe
windows7-x64
6The-MALWAR...te.exe
windows7-x64
7The-MALWAR....a.exe
windows7-x64
3The-MALWAR...le.exe
windows7-x64
3The-MALWAR...us.exe
windows7-x64
10The-MALWAR...er.exe
windows7-x64
7The-MALWAR...ff.exe
windows7-x64
3Analysis
-
max time kernel
1556s -
max time network
1569s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Trojan/ColorBug.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Trojan/DesktopPuzzle.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Trojan/DudleyTrojan.bat
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Trojan/L0Lz.bat
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Trojan/LoveYou.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Trojan/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Trojan/Mist/MistInfected_newest.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Trojan/Mist/MistInstaller.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Trojan/Mist/MistInstallerRC.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Trojan/PCToaster.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Trojan/Sevgi.a.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Trojan/Spark/Spark.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Virus/MadMan.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Virus/WinNuke.98.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpaj.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpajB.exe
Resource
win7-20241023-en
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Worm/Bezilom.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Worm/Blaster/607B60AD512C50B7D71DCCC057E85F1C.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Worm/Blaster/8676210e6246948201aa014db471de90.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Worm/Blaster/8a17f336f86e81f04d8e66fa23f9b36a.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Worm/Blaster/DComExploit.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Worm/Blaster/SANS_ Malware FAQ_ What is W32_Blaster worm_.eml
Resource
win7-20240708-en
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Worm/Bumerang.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Worm/Fagot.a.exe
Resource
win7-20240729-en
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Worm/Heap41A.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Worm/Mantas.exe
Resource
win7-20241010-en
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Worm/NadIote/Nadlote.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Worm/Netres.a.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Worm/Nople.exe
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Worm/Vobfus/Vobus.exe
Resource
win7-20241010-en
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/rogues/AdwereCleaner.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/rogues/SpySheriff.exe
Resource
win7-20240903-en
General
-
Target
The-MALWARE-Repo-master/Virus/Xpaj/xpaj.exe
-
Size
219KB
-
MD5
d5c12fcfeebbe63f74026601cd7f39b2
-
SHA1
50281de9abb1bec1b6a1f13ccd3ce3493dee8850
-
SHA256
9db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da
-
SHA512
132d8c08f40a578c1dc6ac029bf2a61535087ce949ff84dbec8577505c4462358a1d9ef6cd3f58078fdcae5261d7a87348a701c28ce2357f17ecc2bc9da15b4e
-
SSDEEP
6144:Gqmg/v4y/MqGs38KHF1SubUriPOKAJnP:jmgXxXGNKHC
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: xpaj.exe File opened (read-only) \??\g: xpaj.exe File opened (read-only) \??\i: xpaj.exe File opened (read-only) \??\p: xpaj.exe File opened (read-only) \??\y: xpaj.exe File opened (read-only) \??\h: xpaj.exe File opened (read-only) \??\j: xpaj.exe File opened (read-only) \??\n: xpaj.exe File opened (read-only) \??\s: xpaj.exe File opened (read-only) \??\u: xpaj.exe File opened (read-only) \??\k: xpaj.exe File opened (read-only) \??\m: xpaj.exe File opened (read-only) \??\v: xpaj.exe File opened (read-only) \??\w: xpaj.exe File opened (read-only) \??\x: xpaj.exe File opened (read-only) \??\l: xpaj.exe File opened (read-only) \??\o: xpaj.exe File opened (read-only) \??\q: xpaj.exe File opened (read-only) \??\r: xpaj.exe File opened (read-only) \??\t: xpaj.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 xpaj.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceer35EN.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ml.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll xpaj.exe File opened for modification C:\Program Files\Java\jre7\bin\jdwp.dll xpaj.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll xpaj.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\OneNoteSyncPCIntl.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE xpaj.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\psuser_64.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe xpaj.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL xpaj.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll xpaj.exe File opened for modification C:\Program Files (x86)\Windows Defender\MpOAV.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll xpaj.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Internet Explorer\ieinstal.exe xpaj.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll xpaj.exe File opened for modification \??\c:\Program Files\DVD Maker\OmdBase.dll xpaj.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOCFU.DLL xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\REVERSE.DLL xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSRuntime.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_iw.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\EAWFINTL.DLL xpaj.exe File opened for modification \??\c:\Program Files\Java\jre7\bin\policytool.exe xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll xpaj.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Windows Mail\wabmig.exe xpaj.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll xpaj.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1544 xpaj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1544