Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XtasyExecutor.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/12/2024, 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XtasyExecutor.exe

  • Size

    202KB

  • MD5

    20bd0480bb862bd1d073477a87aede81

  • SHA1

    3c7c72fc3c1bec023386ac6ed14ad5cb785fe4ce

  • SHA256

    548529c38438f4a9aea915448e183f24d4ddbe793a86090075775a154d59f067

  • SHA512

    6b4817a7921bb62bbaf6835a3948a1811914f652f5f6ad86fe0b52376b6347d180488c3de4f02ba8ec962c45c5b4d6ad91eba11441989bbb42dab2863dfaa766

  • SSDEEP

    6144:gLV6Bta6dtJmakIM5E/hBp4OnvF3ZO2hdi:gLV6BtpmkJBprnvF3AWi

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 39 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XtasyExecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\XtasyExecutor.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\reg.exe
        reg add hkcu\software\policies\microsoft\windows\currentversion\explorereaux
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:808
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3600
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:568
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2224
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1576
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1176
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:2788
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
      1⤵
        PID:4360

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\8C9EE1BC-5364-4B37-AAE7-4F6A9EEFFA14\settings.bak
        Filesize

        192B

        MD5

        a78d1e7d52a6b603965039be25c6b405

        SHA1

        b68d0d852c150df3d83d93a630c47de9f8c9cf67

        SHA256

        81070efe4c3537abec99f5570c2725c3c7118a4c5160677a66b400699eef671d

        SHA512

        d9ecd3afc3e9885a397988ce7fda4475d8f3d8b7494899b1114b25471f448457fe2945fd23bc645f52d6f50ce3c2744aea08d1673fcd7c387d02ae70e628f278

        Download Submit

      • C:\Users\Admin\Desktop\GetCompare.doc
        Filesize

        669KB

        MD5

        f6608982f4bcea26def4889c97a9f282

        SHA1

        180890b4672a07241fd0712ee41c6438f4652b17

        SHA256

        33c630a6a139208bae2093f326b4df3b13118322e784ef79442c45fb220d2c18

        SHA512

        a85b3858ab602d4b2f97bc9a071f39c10c32014e91f331e8177dd5f33b75c0e5874906973cd4a9d8bd7d23af73843f81e694e7a55c28b315a3d7f84213b9f304

        Download Submit

      • C:\Users\Admin\Desktop\InstallCheckpoint.rtf
        Filesize

        452KB

        MD5

        ad113e1919027132eadf8fcf4f569318

        SHA1

        d32c9e38d671812de59c55deaa5140ffb916c4c4

        SHA256

        f20690657517ead395aae4ff356a39abff6db3d3195b615cd3cd549995bf1408

        SHA512

        9050552b9ddedcd76bbe551d6c0ffb6b4d680b544a34d16aad362760f9c0ee5ba6b17a296c1283e3b6ab9d4a99c004211c5d8430e16b437d6712807cbf8acaf0

        Download Submit

      • C:\Users\Admin\Desktop\InstallSearch.cmd
        Filesize

        256KB

        MD5

        f030030dccc59e3cae4020db43639638

        SHA1

        d68aa583fdbfca70468593c15afff6b82b6bdbbd

        SHA256

        e1d357fc8f9c5ab49774de44a8b19097dcaecf77c5615c3d970850fe6429172e

        SHA512

        ef4f0bb1678e6c7e2aaf6b172fa0146060eee817fa723eb8d63725d61df96c38b17253a279d5d888d335c5192878c61e3a6fd3f13b583f4e30fc160f61e59161

        Download Submit

      • C:\Users\Admin\Desktop\JoinImport.wma
        Filesize

        512KB

        MD5

        79a2b25dcbcb2c8a1a9358d66c3c0077

        SHA1

        43c7fc078de1f12b9054fc5050b98fc551a4f285

        SHA256

        3e21eb5186251f170cb990672cc8ebff6016aac69c56ab40da1be389f4dcc646

        SHA512

        dfb0ae7c634c2f4c0f3f85894d84c54cfa4e79be159b399197b170d4ecfea5c8f0cc55ac12fc42b5eb38d9b29762d3079b8352da0bf03c60769dfc3806302778

        Download Submit

      • C:\Users\Admin\Desktop\MergeRepair.ps1xml
        Filesize

        393KB

        MD5

        ce4c30ce464f68fbd151407c4046fd3f

        SHA1

        3a7ed11f52e8e29dbad0b9c6778d250dc5588674

        SHA256

        b8f7ab73a706ac220849b33d87463a042b3fbc7c038fb5553fd98043c02780a8

        SHA512

        9f9fcbebe0125744b84961167ea5723b597d201457b5a58ec4c223dba52158662dd9d283ecbd71c4e0ad392477ee4366b1847cf4dd3292b4cb0a2c944f8b1eb1

        Download Submit

      • C:\Users\Admin\Desktop\MountSplit.001
        Filesize

        354KB

        MD5

        db96881ad7e94da58b87478000b8f233

        SHA1

        0e27a81ba95cf7f004e1f8d42371a800c527a251

        SHA256

        b8b5468ce8300b03e1b7c7ba8824164b2f96f097a28ddcbd52d1b560122d24ce

        SHA512

        9f57e37120cf880d71bfc676d630dfc030c2103f82a47593d2640f6ead02735ea6f70cdc05ec9f0110ea7e9f81b386c7f2baaf6b82b967d5389fee7a58e7d921

        Download Submit

      • C:\Users\Admin\Desktop\PublishExport.pptx
        Filesize

        551KB

        MD5

        b994a9eb4b39dab371ce2648ce0dc039

        SHA1

        497b7a7cb653f14d222dcdd080a83d7668cfb97f

        SHA256

        c2b620e31a867c1fe34c2a76c11131406faa8ee3fbe5ff8e0c8e1748dadf8a6a

        SHA512

        a06581468a90ff588f5d637c3142d51e72af40b05dc2113179b57f1d865ba5bb9c0d96639479c40ffbabb4d3a80e24ca824bb72c2d2718c3be1bc702253b7b67

        Download Submit

      • C:\Users\Admin\Desktop\PublishSelect.wvx
        Filesize

        728KB

        MD5

        3fa25a9376a921f1d70222d555946658

        SHA1

        9eda24f2411d2ca9fe23b6df7a950c96b366109f

        SHA256

        4ef7947bd094d8bf24b0b499a34f00445d6119af004aa87922e8048dbe577660

        SHA512

        8eb6f7f5d890291715775a5598500e57c70ab89886cc766bd87d1606b7c21081188260aee14084edb0faa18bf61e52954524ca8866f67ef5690d351e0e0d425d

        Download Submit

      • C:\Users\Admin\Desktop\ResetConfirm.ocx
        Filesize

        295KB

        MD5

        8106450627e0544a053f432c41f89f34

        SHA1

        20f1528117793461129290b401b79a4a616c688f

        SHA256

        b236b8b0c689ee15cce4d639779b538177fb84630fe632332eb11a712f6ea48d

        SHA512

        6b225cc23d260f17eee44b32733ccb5d5c3b4c09809cf3635c36b6643290bdb0f9621362caa3e77412af0f09d573dc3d19e0b7c74b884ab77b1cbc6600f6472a

        Download Submit

      • C:\Users\Admin\Desktop\ResumeComplete.m1v
        Filesize

        571KB

        MD5

        ae0d8645c864d86aee3a37ef0f8267d1

        SHA1

        5fc576caca52b3b2674d11c17701360006789e43

        SHA256

        80fc66f3977be8ebd4e311a9cc9ab4a90d508fbbfc06b56928638a3eb908e70f

        SHA512

        f225640a21a7c5b0053b3a2222f87ee6ac48e12e719010ae7704024a95122dd744eca874396bcaa47fc71f48b56ce78266f6c564ab5bf83c42b6c00e7bf94587

        Download Submit

      • C:\Users\Admin\Desktop\RevokeRestore.css
        Filesize

        334KB

        MD5

        b945a643121cebe9bc8c96135bbdb6a7

        SHA1

        60fd11b60117f9f99408107458eccec93bfe88ba

        SHA256

        80b9750f77bc32758e4ee639a92766024b5c008cded5b7c4c358a685be91c59d

        SHA512

        9246cfa7e25644c2820d66d9b6834c7102e5bd767890e494043b4b09ca4a41db7959678b64b2a233aa5a36860f7d4bf008bde9e55dd8cda78cdf5010013ea56a

        Download Submit

      • C:\Users\Admin\Desktop\ShowDisable.js
        Filesize

        1004KB

        MD5

        3a02bd32846ccd5689020d53b67463b7

        SHA1

        b09417189605fc3c5a89366acd3c70309a7a7d54

        SHA256

        13bd9df585a95bc2d1e22dc0b4f815a974fb704dc820cd478e49931b4e4f9ac4

        SHA512

        ee7fdcaab894aadef8b5fd6f8642404e922037cf2fccf069dd133204d6927b58a045b8a0f08f31ac9c2f3f229995663bcdfd006467b48af66c66a27490568259

        Download Submit

      • C:\Users\Admin\Desktop\SkipPing.pcx
        Filesize

        531KB

        MD5

        206a0d461dbb03d59a620cdfad0300a9

        SHA1

        6cb6324b7241ec28008272fb33c98cef45135600

        SHA256

        4604a468718559b4132b2a606778011e5efc0c6686ae146cf7729d0cb1b1322d

        SHA512

        15d439ac54ca005b22b0d1930e25ed5bb00191a4d648e3920794f82e7cd4f1bb2428719da7212cf4f639a6ae61100b3dedf8aeedbf2d3a931e15ca748ba1572c

        Download Submit

      • C:\Users\Admin\Desktop\SubmitSelect.AAC
        Filesize

        649KB

        MD5

        614e6b3a46593e67dbdf59a540d045af

        SHA1

        c33e37211e638ba79f015f1deafbdf43ca250b8e

        SHA256

        7e805b2a7e3c3bde90691a2aa8ade4de06df666111389d34fbc9c9f1e2da7204

        SHA512

        b2b240ee52f275c5d648bf2201edaab90693aa41fee7d6147255da3a197289a78be418271848e280a2f7da2b7ae7253893e83b562b2569b4ceb814e4440dea38

        Download Submit

      • C:\Users\Admin\Desktop\UninstallUnprotect.otf
        Filesize

        374KB

        MD5

        46e13cc51a39623a2afd16254f83a152

        SHA1

        0711c8b143074c72daa51a69039be6811bdf7836

        SHA256

        f6ec2aa41e7e659dce1e144319f6f3f4ed568db717f7e78afa20f0eb437a8a3e

        SHA512

        cefb23ac1f1a4b164bba47a9d9f6e8343fc2282bdddd13a7430b1f40b2fc1b878b72d1f8235f1a2a2a5a1f2c68accd1a3ef8cb4b4ad40b15ba226aea86c2f6f3

        Download Submit

      • C:\Users\Admin\Desktop\UnlockStop.pps
        Filesize

        590KB

        MD5

        68522555a2944deb26cc5437745454a8

        SHA1

        d9febdb4e228992a4d252826ce469f0c6d2c519a

        SHA256

        a0cdf56c3622300aca57b935970ba0add97bd24c52890945dffe5a636af61811

        SHA512

        92ce05266291152f24c81a24b1dc058be2383967e384ccac4afdf98a136a87dd49a280469926cefdcf20c2c49af2f4009f50aecd2aab1695167783fc96679f60

        Download Submit

      • C:\Users\Admin\Desktop\WriteClear.ex_
        Filesize

        433KB

        MD5

        ab7090c4b9bd5f0476ce38fc69f1cf75

        SHA1

        9ef2b2f99056b64b63e790b937ba94ae9a48b37e

        SHA256

        501e41036bdbe0b6e2208128a3b7bce604ee3574cf8d1f7f919e0fc1e9986c8e

        SHA512

        af630341018e00e7abca4c345064d688e17e97d92e880cd448c3899c0ad995159024ea9e91423179e53e0dd0f01e7293a067808bc0b88ad08dafdfe527ef3dcd

        Download Submit

      • memory/1028-11-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-9-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-5-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-0-0x0000000075021000-0x0000000075022000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1028-2-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-10-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-15-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-12-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-13-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-14-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-38-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-205-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1028-1-0x0000000075020000-0x00000000755D1000-memory.dmp

        Filesize

        5.7MB

        Download