Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe
Resource
win7-20230831-en
General
-
Target
10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe
-
Size
296KB
-
MD5
5fac40a82226f46504aef22f79233ad7
-
SHA1
c4035a3190fa59840aad19156711c63199d9812e
-
SHA256
10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6
-
SHA512
b0fa9ea2dabf45aff55c45499489f2c7a414815664532d0d4579c94f78fe9feb8e5175f49c31e3a6d35694c99911cb6b1dfcf4b49da27ee9d17fe5cba3aa958b
-
SSDEEP
3072:uCmy2JV7y4nWfFCPP/7SQDADn1qlOJqrC96hJSIqdsITzauJ4iTJOrDqK+kLQJ5S:uy1faP/DAD1zB9ySIYzauE9+k
Malware Config
Extracted
xworm
3.1
xwormfresh.duckdns.org:7002
Ytep6ubSVJFcAJf5
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2220-7-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Executes dropped EXE 1 IoCs
pid Process 2284 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2760 set thread context of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2220 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2220 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2220 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 2220 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 92 PID 2760 wrote to memory of 4444 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 93 PID 2760 wrote to memory of 4444 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 93 PID 2760 wrote to memory of 4444 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 93 PID 2760 wrote to memory of 1432 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 95 PID 2760 wrote to memory of 1432 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 95 PID 2760 wrote to memory of 1432 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 95 PID 2760 wrote to memory of 4408 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 94 PID 2760 wrote to memory of 4408 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 94 PID 2760 wrote to memory of 4408 2760 10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe 94 PID 1432 wrote to memory of 3992 1432 cmd.exe 99 PID 1432 wrote to memory of 3992 1432 cmd.exe 99 PID 1432 wrote to memory of 3992 1432 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe"C:\Users\Admin\AppData\Local\Temp\10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe"C:\Users\Admin\AppData\Local\Temp\10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:4444
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6_JC.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:4408
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:3992
-
-
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:3304
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD55fac40a82226f46504aef22f79233ad7
SHA1c4035a3190fa59840aad19156711c63199d9812e
SHA25610265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6
SHA512b0fa9ea2dabf45aff55c45499489f2c7a414815664532d0d4579c94f78fe9feb8e5175f49c31e3a6d35694c99911cb6b1dfcf4b49da27ee9d17fe5cba3aa958b
-
Filesize
296KB
MD55fac40a82226f46504aef22f79233ad7
SHA1c4035a3190fa59840aad19156711c63199d9812e
SHA25610265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6
SHA512b0fa9ea2dabf45aff55c45499489f2c7a414815664532d0d4579c94f78fe9feb8e5175f49c31e3a6d35694c99911cb6b1dfcf4b49da27ee9d17fe5cba3aa958b
-
Filesize
296KB
MD55fac40a82226f46504aef22f79233ad7
SHA1c4035a3190fa59840aad19156711c63199d9812e
SHA25610265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6
SHA512b0fa9ea2dabf45aff55c45499489f2c7a414815664532d0d4579c94f78fe9feb8e5175f49c31e3a6d35694c99911cb6b1dfcf4b49da27ee9d17fe5cba3aa958b