Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 17:52
Behavioral task
behavioral1
Sample
bLYU.exe
Resource
win7-20230831-en
6 signatures
150 seconds
General
-
Target
bLYU.exe
-
Size
56KB
-
MD5
99ac1041885d76a382b9a79e8c6cfe81
-
SHA1
1e32ee6a17e9526d41832177ed2d765fac9b8753
-
SHA256
001e2be0b431a33fbc7d0eb1fabd07d5c1cdba26ebef12e85b2a7ba58bdd995c
-
SHA512
55158c15a94735bf2ad80d70ce255c55d5a08749ae0596229f7e27878a22add8c191d8e69c866f6d98270b3332ee8c3cde60ee7cfdc502dcd38c74fe844ce754
-
SSDEEP
768:cFhVBuPWuUzEbOszEaN9B+7Bpe3GnAZQgS1m2LRRqsEbGlYFer7wiJncDqjP619s:nbOsQzBQ3GQQZ1TffEbGyC7wkn2O7nV
Malware Config
Extracted
Family
xworm
Version
3.0
C2
18.231.156.119:7000
Attributes
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1444-0-0x0000000000C50000-0x0000000000C64000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bLYU.lnk bLYU.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bLYU.lnk bLYU.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1444 bLYU.exe