Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
8s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2024, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
a231145abbb216fb9ad0bb81c51832f5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a231145abbb216fb9ad0bb81c51832f5.exe
Resource
win10v2004-20231222-en
General
-
Target
a231145abbb216fb9ad0bb81c51832f5.exe
-
Size
92KB
-
MD5
a231145abbb216fb9ad0bb81c51832f5
-
SHA1
c93e051e8c374bbcb153b1862e6e101abb73775c
-
SHA256
305817d3405f3f1d344836b74d5e04af40da8e11d5334c6401c94a3baceb34ea
-
SHA512
3c67f60a04495fc14b3bdacf6d19a509c13dddcf29227696d69336878f3059bc33eb6a2183d12fd6a88c8fe0533c0787eb9599686564c061e3d500b1d34c3fcd
-
SSDEEP
1536:jynazMODiSbl57b/4tXzQP8AltrOSWht1s5qXxx3M9H+NjExnCMT3JuT+d/1SWPO:jOa9Dnv7ba85OTt25x+Z6Lh1ZP/Bjvfs
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/TgduC2Px
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/924-32-0x0000000000FA0000-0x0000000000FBA000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Templates\\ibkcqwg5.azq.exe" a231145abbb216fb9ad0bb81c51832f5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation a231145abbb216fb9ad0bb81c51832f5.exe -
Executes dropped EXE 1 IoCs
pid Process 924 ibkcqwg5.azq.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4556 schtasks.exe 5100 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 924 ibkcqwg5.azq.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2884 1512 a231145abbb216fb9ad0bb81c51832f5.exe 86 PID 1512 wrote to memory of 2884 1512 a231145abbb216fb9ad0bb81c51832f5.exe 86 PID 2884 wrote to memory of 4556 2884 CMD.exe 88 PID 2884 wrote to memory of 4556 2884 CMD.exe 88 PID 1512 wrote to memory of 924 1512 a231145abbb216fb9ad0bb81c51832f5.exe 92 PID 1512 wrote to memory of 924 1512 a231145abbb216fb9ad0bb81c51832f5.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a231145abbb216fb9ad0bb81c51832f5.exe"C:\Users\Admin\AppData\Local\Temp\a231145abbb216fb9ad0bb81c51832f5.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System Update" /tr "C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System Update" /tr "C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe"3⤵
- Creates scheduled task(s)
PID:4556
-
-
-
C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe"C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Templates\ibkcqwg5.azq.exe'3⤵PID:3856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ibkcqwg5.azq.exe'3⤵PID:4392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵PID:4916
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Creates scheduled task(s)
PID:5100
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵PID:528
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵PID:2216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5e50a1df2027bca41c1fdb49e96687ae6
SHA196551834b644c25c12a72452023b101e38c9d68d
SHA256ff9b0ec3d4acaf62a5a65fab5577ac5815e028d0315494b040bb638de3d18bbb
SHA512e8e2ba4dfd76ea45fcd1762b5db4e3d55c9e701e914b68247cdd4a76231d7fd97f602402b2740a8a34bf771614f1a0f53a81289b838825b20b32a12be846f60b
-
Filesize
108KB
MD51931d908fcb5755d456482729dcd0d74
SHA186100ca1bf6fce44e28295c14ef673b1275d5d31
SHA256d2f4316aafabc1880f6f5c2223a67072eddd25b288e116d873e5f5dc77cbcdf7
SHA512db844634332c3b0d85ab9cdea0dfe60b8d38eea2b67059ea6a2ecdb29a95ac38bbfba3f0bd9c16cf6ad641b79b1eb237ce2cf8ad9752ba5a7292379a53cb0e39
-
Filesize
4.4MB
MD5dcd2dca23b9f3e60091e2e8855ccc5f3
SHA12d13dc88f2fdf29c96cf6bfa91ac50999f5afc58
SHA2569510615696bf0d472ea32f62dd61b30f93bc5320ec448dcd0026f91112a625df
SHA512076d229b50ef7fee8c1d221a6e79e164f4999ac4c55d81306b6929b2e0c092b0c0e7a9ca8a9cd947b2ef15d6c674961127302d938b0abf93a9f27ddf730dd94f
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD54178a021dab6578724f63a6a72b9b13b
SHA18e5d61c21edaafe4e2257ebe53f9b37b723838b7
SHA256347338241585c510bb1fafae13447879318610ca4d844b0e73089957911d77fe
SHA5120f49991948129415c2a02298072055d4de521e4a8cb9ae887bb2096683668fcb491b99d58fd6e239463a5ac981d756c4b2827cb52c1e1253b9cb114095e140c9
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD562dc77e0e8dd3f0f0ef72d72d1038825
SHA145dbe8f53baf463edd1e9cbef67291e383257eb1
SHA2569d2310696504c8a2da80ef05115e7fb6affcb97d7d2a22c43a6eab5b0ca8471b
SHA5123bde5892639c59ec7e5ef2ecddf7a798f8b87c229c9859906e94706edb8f63673b3251f91e3efdb46fdee3034f6c8e5d86f7d1870dbb8a38ffb6f98fee6f60be
-
Filesize
1003KB
MD5eb8d09117f8b384eefdba1f92ce612bb
SHA16fb28010b5dcfe92e50316dcd7862ae27a41cc1e
SHA2568b46fa0fc6ba5968d3df7767d81d90fce1a00da192749eedc93fa0200ccf25eb
SHA512149b8b959a5216a26899d95f9631ae2ac21c42e145ade28e6e92bb1257e2b4024f827c1f1bc8a31bca3cfe11e9f855dc4a0e0f9ed6a5db978188d4fda53f0bbd
-
Filesize
177KB
MD55e67c5a6e1bfc4226ac30f144bf1cb22
SHA19496c9583efc0dcbff5bf7c980946cc67363282c
SHA2569add375ce8863cbff39fd0f3f88d75ef176637d000cc25b75f61263e8718c34e
SHA512618a2a2c9658d7726019ad576084e040eab528dc4cc5ddcd6beb1264865cd9629fe130cfb36a13cbd777f7568a50b68934951cf14349366cdc9f563fdc622340