Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

IMG_2031.exe

windows7-x64

10

IMG_2031.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2023, 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_2031.exe

  • Size

    816KB

  • MD5

    1817e46e5a422e9132a04db8fec73a0c

  • SHA1

    31c2f9de7b5b05cc322512fd9beadd7c7e525f6d

  • SHA256

    60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054

  • SHA512

    b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712

  • SSDEEP

    12288:oWmaQfFJeDYFPQC1nOw6/iZyubeDmFiFVVfHVpNtrjb+Vf7SJo7lfELkNCCtPzMI:NTCfJnGbDwKNd8H

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

severdops.ddns.net:7021

Mutex

eQLeuanC5v31k1hC

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_2031.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_2031.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2220
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpADE8.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1308
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
          4⤵
            PID:4108
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
            4⤵
              PID:628
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
              4⤵
                PID:2392
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                4⤵
                  PID:5016
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  4⤵
                    PID:1612
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                    4⤵
                      PID:5076
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                      4⤵
                        PID:2800
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                        4⤵
                          PID:4460
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                          4⤵
                            PID:4472
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                            4⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3308

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmpADE8.tmp.bat
                      Filesize

                      151B

                      MD5

                      e6182bdcd2ee9d7456011e2a72c5bce2

                      SHA1

                      04e3db5d557c8604a6fb4b983a5eed0d1e10d312

                      SHA256

                      6dd0512027e650288029064459df606e039a0e0e226af3bdfcee136c1d392a1b

                      SHA512

                      f80d747b9201a3a698978dbd8547d974c1c1175cb931ff08a270ff88cb782c52a136ee45097438624d69f255632a7e6e7de78d1a2b8ee81fdeb72da9ebe2942c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\svchost.exe
                      Filesize

                      816KB

                      MD5

                      1817e46e5a422e9132a04db8fec73a0c

                      SHA1

                      31c2f9de7b5b05cc322512fd9beadd7c7e525f6d

                      SHA256

                      60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054

                      SHA512

                      b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\svchost.exe
                      Filesize

                      816KB

                      MD5

                      1817e46e5a422e9132a04db8fec73a0c

                      SHA1

                      31c2f9de7b5b05cc322512fd9beadd7c7e525f6d

                      SHA256

                      60969a9175951613f2c83eab67e31887eaed9429e5d03cf8ab135131a2b47054

                      SHA512

                      b23c76bbf3ea1733cc4196d001a5034bf0b262bd683a26723076ce7ef653534461f9593bb0d70a037c0144695f12c4b371ffc26cde3bf69e1dcf2cc0f71eb712

                      Download Submit

                    • memory/3308-144-0x0000000000400000-0x0000000000410000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3308-146-0x0000000005170000-0x000000000520C000-memory.dmp

                      Filesize

                      624KB

                      Download

                    • memory/3308-147-0x00000000053B0000-0x00000000053C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3308-148-0x0000000005AB0000-0x0000000005B16000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/3308-149-0x00000000053B0000-0x00000000053C0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3308-150-0x00000000064E0000-0x0000000006572000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/3308-151-0x0000000006B30000-0x00000000070D4000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/3372-139-0x0000021054580000-0x00000210546CE000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/3372-134-0x0000021052C50000-0x0000021052C60000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3372-133-0x00000210527D0000-0x00000210528A0000-memory.dmp

                      Filesize

                      832KB

                      Download