Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/10/2023, 18:50
231007-xhdn1aee5y 707/10/2023, 18:45
231007-xd334agh66 707/10/2023, 18:42
231007-xcf7yaed8z 707/10/2023, 18:38
231007-xaftdsgh34 707/10/2023, 18:30
231007-w5zdjsgg59 10Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10v2004-20230915-en
General
-
Target
Loader.exe
-
Size
133KB
-
MD5
fc3378c4e8cd002ba1e8a05b37f09d24
-
SHA1
6b3620287c4f94d2f515c1a8577fffcc02331b0c
-
SHA256
2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
-
SHA512
c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
SSDEEP
1536:yxYnIibKxkGHHIy2MwxIQ+b/zvc5j6xOVHRvUF80XbpGQqmyVttdGFQeOPigE:aLRIHpx3+bb5OVHpUFNcQqmyBeT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation Loader.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm Auto Updater.lnk Loader.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm Auto Updater.lnk Loader.exe -
Executes dropped EXE 2 IoCs
pid Process 2820 XWorm Auto Updater 312 XWorm Auto Updater -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWorm Auto Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm Auto Updater" Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3776 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings Loader.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2812 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4772 powershell.exe 4772 powershell.exe 1492 powershell.exe 1492 powershell.exe 2804 powershell.exe 2804 powershell.exe 3484 powershell.exe 3484 powershell.exe 1780 Loader.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1780 Loader.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 3484 powershell.exe Token: SeDebugPrivilege 1780 Loader.exe Token: SeDebugPrivilege 2820 XWorm Auto Updater Token: SeDebugPrivilege 312 XWorm Auto Updater Token: SeDebugPrivilege 4956 taskmgr.exe Token: SeSystemProfilePrivilege 4956 taskmgr.exe Token: SeCreateGlobalPrivilege 4956 taskmgr.exe Token: 33 4956 taskmgr.exe Token: SeIncBasePriorityPrivilege 4956 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe 4956 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1780 Loader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1780 wrote to memory of 4772 1780 Loader.exe 86 PID 1780 wrote to memory of 4772 1780 Loader.exe 86 PID 1780 wrote to memory of 1492 1780 Loader.exe 90 PID 1780 wrote to memory of 1492 1780 Loader.exe 90 PID 1780 wrote to memory of 2804 1780 Loader.exe 92 PID 1780 wrote to memory of 2804 1780 Loader.exe 92 PID 1780 wrote to memory of 3484 1780 Loader.exe 96 PID 1780 wrote to memory of 3484 1780 Loader.exe 96 PID 1780 wrote to memory of 3776 1780 Loader.exe 97 PID 1780 wrote to memory of 3776 1780 Loader.exe 97 PID 1780 wrote to memory of 2812 1780 Loader.exe 111 PID 1780 wrote to memory of 2812 1780 Loader.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Loader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm Auto Updater'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm Auto Updater" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"2⤵
- Creates scheduled task(s)
PID:3776
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ygojjt.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:312
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
133KB
MD5fc3378c4e8cd002ba1e8a05b37f09d24
SHA16b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA2562b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
Filesize
133KB
MD5fc3378c4e8cd002ba1e8a05b37f09d24
SHA16b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA2562b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
Filesize
133KB
MD5fc3378c4e8cd002ba1e8a05b37f09d24
SHA16b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA2562b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.6MB
MD5f16c0917425c1eb114667b06437e0581
SHA12a171a934792b225828f0efaeb4bb1a003d54324
SHA25687ddc81d247de32dc707f0f9a0b3126be472e502054513f5bada2c49f4d06b00
SHA512d8bb96e96048845b7fa4005afab2fa192fb9f7e1c8052aff7704ce41c5b1ce5ffad675f1e9e6e2143b954533221433b8568757cbf18b6028daa241b4bdd13fad
-
Filesize
1KB
MD570afb9d81ab66261c1aa9046e4a62951
SHA18c8f7b8a7668832a93f0dab8d02a9ea6419dfaff
SHA256919cbf574ba15a5b8d726a390929311fd4e20146804d118002fae513c2c2f607
SHA51219752f51196fe6241a297e44efd7cbbb6d3a504a1da58a83256ef8994db471d3b5d6af734819c37c8098bab0cd512a29942f1cf74ae23bbae69502a5d1d0a914