Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2023, 14:14
Static task
static1
Behavioral task
behavioral1
Sample
ArchevodXWormexe.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
ArchevodXWormexe.exe
Resource
win10v2004-20230621-en
General
-
Target
ArchevodXWormexe.exe
-
Size
1.1MB
-
MD5
87243804ebf481b95392b3ec64774297
-
SHA1
ff945fbb4577b5b8939d6f80367c5e4b6cdef99b
-
SHA256
bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5
-
SHA512
4eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5
-
SSDEEP
24576:e8JiMsfQ2FsbQM9ULXwbZnr9UbjAyFEHn7h98ll2cXVuF0wG1oVNMzV:emTRMM9WXwlr9TyyHnE/2cXVborMx
Malware Config
Extracted
xworm
topics-junior.at.ply.gg:45283
-
install_file
explorer.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation ArchevodXWormexe.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArchevodXWormexe.lnk ArchevodXWormexe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArchevodXWormexe.lnk ArchevodXWormexe.exe -
Executes dropped EXE 2 IoCs
pid Process 4920 ArchevodXWormexe.exe 5012 ArchevodXWormexe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArchevodXWormexe = "C:\\Users\\Admin\\AppData\\Roaming\\ArchevodXWormexe.exe" ArchevodXWormexe.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 4920 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 5012 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 3180 powershell.exe 3180 powershell.exe 3976 powershell.exe 3976 powershell.exe 3828 powershell.exe 3828 powershell.exe 3572 ArchevodXWormexe.exe 4920 ArchevodXWormexe.exe 4920 ArchevodXWormexe.exe 5012 ArchevodXWormexe.exe 5012 ArchevodXWormexe.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3572 ArchevodXWormexe.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 3572 ArchevodXWormexe.exe Token: SeDebugPrivilege 4920 ArchevodXWormexe.exe Token: SeDebugPrivilege 5012 ArchevodXWormexe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3572 ArchevodXWormexe.exe 3572 ArchevodXWormexe.exe 4920 ArchevodXWormexe.exe 5012 ArchevodXWormexe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3572 wrote to memory of 3180 3572 ArchevodXWormexe.exe 82 PID 3572 wrote to memory of 3180 3572 ArchevodXWormexe.exe 82 PID 3572 wrote to memory of 3180 3572 ArchevodXWormexe.exe 82 PID 3572 wrote to memory of 3976 3572 ArchevodXWormexe.exe 84 PID 3572 wrote to memory of 3976 3572 ArchevodXWormexe.exe 84 PID 3572 wrote to memory of 3976 3572 ArchevodXWormexe.exe 84 PID 3572 wrote to memory of 3828 3572 ArchevodXWormexe.exe 86 PID 3572 wrote to memory of 3828 3572 ArchevodXWormexe.exe 86 PID 3572 wrote to memory of 3828 3572 ArchevodXWormexe.exe 86 PID 3572 wrote to memory of 1724 3572 ArchevodXWormexe.exe 88 PID 3572 wrote to memory of 1724 3572 ArchevodXWormexe.exe 88 PID 3572 wrote to memory of 1724 3572 ArchevodXWormexe.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ArchevodXWormexe.exe"C:\Users\Admin\AppData\Local\Temp\ArchevodXWormexe.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ArchevodXWormexe.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ArchevodXWormexe.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ArchevodXWormexe" /tr "C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe"2⤵
- Creates scheduled task(s)
PID:1724
-
-
C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exeC:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4920
-
C:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exeC:\Users\Admin\AppData\Roaming\ArchevodXWormexe.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD58334a471a4b492ece225b471b8ad2fc8
SHA11cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA2565612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA51256ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD59a8f6c0550232f74426cbd799d335252
SHA1c9520e88dbc5ed88ce9338a250b168ed49c3ff9e
SHA256733aa5f36fe5c07001c6ffcd5faa1c26dfc97c158c9798305e34b1a5add161b6
SHA512c6ee2e4b3a11c3cae93b8f2671409912c603253c5f5134db822169c68b1d740aa27081d48fedf3ba579238efeb6729369b84d842240f66e7123dc61f22caa5fa
-
Filesize
18KB
MD5c7a0b1fa5e49faac45610713d45ea2bb
SHA1583251f2591f1a60e835aa71cd056c2c73b06647
SHA256891c9b41d8733237bba5dcf047cde3e581951d4071e2bc8579fbdd2c1e0103a5
SHA51214a7694d7310d66b65a85bc68dbd5ab111d514d1accce110bb527cf377806a09a2abd6a59f7290382e17842e13e3c94adfb04db30b743b6c32020a7e1a1487d4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD587243804ebf481b95392b3ec64774297
SHA1ff945fbb4577b5b8939d6f80367c5e4b6cdef99b
SHA256bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5
SHA5124eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5
-
Filesize
1.1MB
MD587243804ebf481b95392b3ec64774297
SHA1ff945fbb4577b5b8939d6f80367c5e4b6cdef99b
SHA256bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5
SHA5124eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5
-
Filesize
1.1MB
MD587243804ebf481b95392b3ec64774297
SHA1ff945fbb4577b5b8939d6f80367c5e4b6cdef99b
SHA256bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5
SHA5124eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5
-
Filesize
1.1MB
MD587243804ebf481b95392b3ec64774297
SHA1ff945fbb4577b5b8939d6f80367c5e4b6cdef99b
SHA256bf9c7574e3ca23a96e317b42385aee11a982ab20649a6954d507e9c76b4044b5
SHA5124eadcccd6d39679e053501f2680637d4855d2ea0d5e7fb753718b25ba4866cb05847e80db7568393db41bae29c803a9d593e92db8285fee553cf3efd91e77ce5