Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

App.exe

windows7-x64

7

App.exe

windows10-2004-x64

7

Freemasonry (2).exe

windows7-x64

10

Freemasonry (2).exe

windows10-2004-x64

10

Freemasonry.exe

windows7-x64

3

Freemasonry.exe

windows10-2004-x64

7

NisSrv.exe

windows7-x64

10

NisSrv.exe

windows10-2004-x64

10

Presentati...he.exe

windows7-x64

1

Presentati...he.exe

windows10-2004-x64

10

SecurityHe...2).exe

windows7-x64

10

SecurityHe...2).exe

windows10-2004-x64

10

SessionService.exe

windows7-x64

10

SessionService.exe

windows10-2004-x64

10

SgrmBroker.exe

windows7-x64

10

SgrmBroker.exe

windows10-2004-x64

10

SocketHeciServer.exe

windows7-x64

10

SocketHeciServer.exe

windows10-2004-x64

10

cmd.exe

windows7-x64

10

cmd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cmd.exe

  • Size

    305KB

  • MD5

    17a914cf391fd8afff071aaa9dbb6d0e

  • SHA1

    bdc7aecf8298fc9742cc2d093b39a93d69b56d90

  • SHA256

    fb8ca27363234ce063f034f47bce0ff739273d6880ac93c32ac89750a9bbae3a

  • SHA512

    ccae9abe5e6116fad65699382bf5641a83bd94b7d95ed9159ea0176d2887d226f092ab97cb271d7cacec250c1aa78c0ba8eda75d6e19c6836b2bd2c648f75278

  • SSDEEP

    6144:I7qJFjwoMUnZqaXMhJ99LJJ8KsnlXfEUcP87PyXvUGRhIc/9oLCm:I7qJOBiZlXMT9BwnllcP8WXvvh

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes
  • install_file

    game.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Delays execution with timeout.exe 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    1⤵
      PID:1852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe'
        2⤵
          PID:1560
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5786.tmp.bat""
          2⤵
            PID:5116
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe"
            2⤵
              PID:968
          • C:\Windows\System32\dllhost.exe
            C:\Windows\System32\dllhost.exe /Processid:{bf6d5219-dab9-4bbd-b343-8d028b6d6152}
            1⤵
              PID:668
            • C:\Windows\system32\timeout.exe
              timeout 3
              1⤵
              • Delays execution with timeout.exe
              PID:4028

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              440cb38dbee06645cc8b74d51f6e5f71

              SHA1

              d7e61da91dc4502e9ae83281b88c1e48584edb7c

              SHA256

              8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

              SHA512

              3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dncxojb.vp1.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp5786.tmp.bat
              Filesize

              155B

              MD5

              2bb73cb3a4077f5b9b9685588f17443e

              SHA1

              1ce71c64dd01fce9e97c12b770327d5097e633cc

              SHA256

              c0e6ff6a2066053de70d6a07dfa00ab2aa5cf211f80b4ec8cf66afd4290ef32e

              SHA512

              2d940cc790812737624f730aee21c8ff1995570e44610416507b8fda8c7094960eff5a3f19a982f1120cc52c4e6e89b464b5bb9a345f7334f5c71541c183688b

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe
              Filesize

              300KB

              MD5

              3c09d9c6df337337adaa6f3880a318c9

              SHA1

              a4a3a1222476e739e12b28e3bcc8c9dbe2d07fdb

              SHA256

              6f6d67095f0b3ee860ebeb646c7ed14413f1b7cbfccae682109790e84bb461ef

              SHA512

              c0bd827b401ee1cfb4fbc53ceb6f3c40d7d6ee2c14b74832c5367c0df06b37dfd6733b840ebe0f091e6397a35e3b60f11cbbc3db893b68b92b8053c45fd1b24d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.exe
              Filesize

              229KB

              MD5

              a2ecfb09c044e8eb23ee1144a56bd64b

              SHA1

              1acad030ec7ebd7cd26de8f149028bfea9d39b4b

              SHA256

              b7a64fd3cd86fdeafde7a727ec47db2a23d3416b4e023bc5d7216e38a48f1e2e

              SHA512

              037a61de7f7c392d67849f9a5005dce9bcf7a1c4f428138c1ef38df45ffd1939547f7b6ff51beb78def50076defd94439a830c98cc8ebae0e380375e4ce7aa58

              Download Submit

            • memory/616-54-0x0000020963AB0000-0x0000020963AD3000-memory.dmp

              Filesize

              140KB

              Download

            • memory/616-57-0x0000020963AE0000-0x0000020963B0A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/616-63-0x00007FFBE860F000-0x00007FFBE8610000-memory.dmp

              Filesize

              4KB

              Download

            • memory/616-60-0x00007FFBE860D000-0x00007FFBE860E000-memory.dmp

              Filesize

              4KB

              Download

            • memory/668-51-0x0000000140000000-0x0000000140040000-memory.dmp

              Filesize

              256KB

              Download

            • memory/668-46-0x0000000140000000-0x0000000140040000-memory.dmp

              Filesize

              256KB

              Download

            • memory/668-48-0x0000000140000000-0x0000000140040000-memory.dmp

              Filesize

              256KB

              Download

            • memory/668-49-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/668-44-0x0000000140000000-0x0000000140040000-memory.dmp

              Filesize

              256KB

              Download

            • memory/668-50-0x00007FFBE6C30000-0x00007FFBE6CEE000-memory.dmp

              Filesize

              760KB

              Download

            • memory/668-52-0x0000000140000000-0x0000000140040000-memory.dmp

              Filesize

              256KB

              Download

            • memory/672-61-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

              Filesize

              64KB

              Download

            • memory/672-68-0x000002A73C0D0000-0x000002A73C0FA000-memory.dmp

              Filesize

              168KB

              Download

            • memory/672-58-0x000002A73C0D0000-0x000002A73C0FA000-memory.dmp

              Filesize

              168KB

              Download

            • memory/960-72-0x000002A3F9BC0000-0x000002A3F9BEA000-memory.dmp

              Filesize

              168KB

              Download

            • memory/960-69-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

              Filesize

              64KB

              Download

            • memory/968-34-0x00000282732D0000-0x0000028273320000-memory.dmp

              Filesize

              320KB

              Download

            • memory/968-45-0x00000282750A0000-0x00000282750B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/968-42-0x00007FFBE6C30000-0x00007FFBE6CEE000-memory.dmp

              Filesize

              760KB

              Download

            • memory/968-47-0x0000028275090000-0x00000282750A4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/968-41-0x00007FFBE8570000-0x00007FFBE8765000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/968-39-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/968-38-0x0000028274F80000-0x0000028274FBE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1256-83-0x00007FFBA85F0000-0x00007FFBA8600000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1256-86-0x00000298DE760000-0x00000298DE78A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/1256-82-0x00000298DE760000-0x00000298DE78A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/1560-14-0x000002A86C5C0000-0x000002A86C5D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1560-4-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1560-13-0x000002A86C5C0000-0x000002A86C5D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1560-3-0x000002A853E80000-0x000002A853EA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1560-17-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1852-20-0x000000001B590000-0x000000001B5A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1852-1-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1852-0-0x00000000001D0000-0x0000000000222000-memory.dmp

              Filesize

              328KB

              Download

            • memory/1852-40-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

              Filesize

              10.8MB

              Download