Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/10/2023, 18:50
231007-xhdn1aee5y 707/10/2023, 18:45
231007-xd334agh66 707/10/2023, 18:42
231007-xcf7yaed8z 707/10/2023, 18:38
231007-xaftdsgh34 707/10/2023, 18:30
231007-w5zdjsgg59 10Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
07/10/2023, 18:45
General
-
Target
Loader.exe
-
Size
133KB
-
MD5
fc3378c4e8cd002ba1e8a05b37f09d24
-
SHA1
6b3620287c4f94d2f515c1a8577fffcc02331b0c
-
SHA256
2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
-
SHA512
c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
SSDEEP
1536:yxYnIibKxkGHHIy2MwxIQ+b/zvc5j6xOVHRvUF80XbpGQqmyVttdGFQeOPigE:aLRIHpx3+bb5OVHpUFNcQqmyBeT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Loader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm Auto Updater'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm Auto Updater" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ygojjt.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
133KB
MD5fc3378c4e8cd002ba1e8a05b37f09d24
SHA16b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA2562b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
Filesize
133KB
MD5fc3378c4e8cd002ba1e8a05b37f09d24
SHA16b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA2562b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
Filesize
133KB
MD5fc3378c4e8cd002ba1e8a05b37f09d24
SHA16b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA2562b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.6MB
MD5f16c0917425c1eb114667b06437e0581
SHA12a171a934792b225828f0efaeb4bb1a003d54324
SHA25687ddc81d247de32dc707f0f9a0b3126be472e502054513f5bada2c49f4d06b00
SHA512d8bb96e96048845b7fa4005afab2fa192fb9f7e1c8052aff7704ce41c5b1ce5ffad675f1e9e6e2143b954533221433b8568757cbf18b6028daa241b4bdd13fad
-
Filesize
1KB
MD570afb9d81ab66261c1aa9046e4a62951
SHA18c8f7b8a7668832a93f0dab8d02a9ea6419dfaff
SHA256919cbf574ba15a5b8d726a390929311fd4e20146804d118002fae513c2c2f607
SHA51219752f51196fe6241a297e44efd7cbbb6d3a504a1da58a83256ef8994db471d3b5d6af734819c37c8098bab0cd512a29942f1cf74ae23bbae69502a5d1d0a914
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB