Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/02/2024, 01:12
Static task
static1
Behavioral task
behavioral1
Sample
Files To Use.exe
Resource
win7-20231215-en
General
-
Target
Files To Use.exe
-
Size
493KB
-
MD5
d110ec96448664160f10da4abd78152f
-
SHA1
128cdfec7390922d3c643717149f81f4af277cd1
-
SHA256
2fad8bf4e40ac2f1b7da870bb8e4c228bec5c52a875aadf347e71a9cba30d6bc
-
SHA512
e99ca079cb44b89e331693c975438f88efda629d7fd898535c511078ca82e07be3faa71bcf31e0657f428556990860f0879d76e23c89f4d9be91f8655cb0734f
-
SSDEEP
12288:PBdlwHRn+WlYV+9VeD09yIzj8ftZJIF+dHO:PBkVdlYATeDOyuj8VwFUHO
Malware Config
Extracted
xworm
3.1
fhfgthfghfg-34660.portmap.host:34660
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Extracted
umbral
https://discord.com/api/webhooks/1204944287041847307/aoa_S28cr8V4g11xswAZC9SdvRJS8ygczDK-GfItmMFXCcL2edroJI5lraSE-OISlf6d
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x00070000000163d4-36.dat family_umbral behavioral1/files/0x00070000000163d4-37.dat family_umbral behavioral1/memory/2568-38-0x00000000012B0000-0x00000000012F0000-memory.dmp family_umbral -
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x0007000000016131-20.dat family_xworm behavioral1/memory/2808-39-0x0000000000BD0000-0x0000000000BE8000-memory.dmp family_xworm behavioral1/memory/1944-109-0x0000000000380000-0x0000000000398000-memory.dmp family_xworm behavioral1/memory/2428-114-0x0000000000A80000-0x0000000000A98000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 6 IoCs
pid Process 2660 idk.exe 2808 XClient.exe 2888 Umbral.exe 2568 Umbral.exe 1944 XClient.exe 2428 XClient.exe -
Loads dropped DLL 6 IoCs
pid Process 2016 Files To Use.exe 2016 Files To Use.exe 2016 Files To Use.exe 2016 Files To Use.exe 2016 Files To Use.exe 2016 Files To Use.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\XClient.exe idk.exe File created C:\Windows\Umbral.exe Umbral.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2772 powershell.exe 2724 powershell.exe 2416 powershell.exe 1296 powershell.exe 2736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2808 XClient.exe Token: SeDebugPrivilege 2568 Umbral.exe Token: SeIncreaseQuotaPrivilege 1640 wmic.exe Token: SeSecurityPrivilege 1640 wmic.exe Token: SeTakeOwnershipPrivilege 1640 wmic.exe Token: SeLoadDriverPrivilege 1640 wmic.exe Token: SeSystemProfilePrivilege 1640 wmic.exe Token: SeSystemtimePrivilege 1640 wmic.exe Token: SeProfSingleProcessPrivilege 1640 wmic.exe Token: SeIncBasePriorityPrivilege 1640 wmic.exe Token: SeCreatePagefilePrivilege 1640 wmic.exe Token: SeBackupPrivilege 1640 wmic.exe Token: SeRestorePrivilege 1640 wmic.exe Token: SeShutdownPrivilege 1640 wmic.exe Token: SeDebugPrivilege 1640 wmic.exe Token: SeSystemEnvironmentPrivilege 1640 wmic.exe Token: SeRemoteShutdownPrivilege 1640 wmic.exe Token: SeUndockPrivilege 1640 wmic.exe Token: SeManageVolumePrivilege 1640 wmic.exe Token: 33 1640 wmic.exe Token: 34 1640 wmic.exe Token: 35 1640 wmic.exe Token: SeIncreaseQuotaPrivilege 1640 wmic.exe Token: SeSecurityPrivilege 1640 wmic.exe Token: SeTakeOwnershipPrivilege 1640 wmic.exe Token: SeLoadDriverPrivilege 1640 wmic.exe Token: SeSystemProfilePrivilege 1640 wmic.exe Token: SeSystemtimePrivilege 1640 wmic.exe Token: SeProfSingleProcessPrivilege 1640 wmic.exe Token: SeIncBasePriorityPrivilege 1640 wmic.exe Token: SeCreatePagefilePrivilege 1640 wmic.exe Token: SeBackupPrivilege 1640 wmic.exe Token: SeRestorePrivilege 1640 wmic.exe Token: SeShutdownPrivilege 1640 wmic.exe Token: SeDebugPrivilege 1640 wmic.exe Token: SeSystemEnvironmentPrivilege 1640 wmic.exe Token: SeRemoteShutdownPrivilege 1640 wmic.exe Token: SeUndockPrivilege 1640 wmic.exe Token: SeManageVolumePrivilege 1640 wmic.exe Token: 33 1640 wmic.exe Token: 34 1640 wmic.exe Token: 35 1640 wmic.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2808 XClient.exe Token: SeDebugPrivilege 1944 XClient.exe Token: SeDebugPrivilege 2428 XClient.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2660 2016 Files To Use.exe 28 PID 2016 wrote to memory of 2660 2016 Files To Use.exe 28 PID 2016 wrote to memory of 2660 2016 Files To Use.exe 28 PID 2016 wrote to memory of 2660 2016 Files To Use.exe 28 PID 2660 wrote to memory of 2772 2660 idk.exe 35 PID 2660 wrote to memory of 2772 2660 idk.exe 35 PID 2660 wrote to memory of 2772 2660 idk.exe 35 PID 2660 wrote to memory of 2772 2660 idk.exe 35 PID 2660 wrote to memory of 2808 2660 idk.exe 33 PID 2660 wrote to memory of 2808 2660 idk.exe 33 PID 2660 wrote to memory of 2808 2660 idk.exe 33 PID 2660 wrote to memory of 2808 2660 idk.exe 33 PID 2016 wrote to memory of 2888 2016 Files To Use.exe 32 PID 2016 wrote to memory of 2888 2016 Files To Use.exe 32 PID 2016 wrote to memory of 2888 2016 Files To Use.exe 32 PID 2016 wrote to memory of 2888 2016 Files To Use.exe 32 PID 2888 wrote to memory of 2724 2888 Umbral.exe 31 PID 2888 wrote to memory of 2724 2888 Umbral.exe 31 PID 2888 wrote to memory of 2724 2888 Umbral.exe 31 PID 2888 wrote to memory of 2724 2888 Umbral.exe 31 PID 2888 wrote to memory of 2568 2888 Umbral.exe 30 PID 2888 wrote to memory of 2568 2888 Umbral.exe 30 PID 2888 wrote to memory of 2568 2888 Umbral.exe 30 PID 2888 wrote to memory of 2568 2888 Umbral.exe 30 PID 2568 wrote to memory of 1640 2568 Umbral.exe 38 PID 2568 wrote to memory of 1640 2568 Umbral.exe 38 PID 2568 wrote to memory of 1640 2568 Umbral.exe 38 PID 2808 wrote to memory of 2416 2808 XClient.exe 40 PID 2808 wrote to memory of 2416 2808 XClient.exe 40 PID 2808 wrote to memory of 2416 2808 XClient.exe 40 PID 2808 wrote to memory of 1296 2808 XClient.exe 42 PID 2808 wrote to memory of 1296 2808 XClient.exe 42 PID 2808 wrote to memory of 1296 2808 XClient.exe 42 PID 2808 wrote to memory of 2736 2808 XClient.exe 44 PID 2808 wrote to memory of 2736 2808 XClient.exe 44 PID 2808 wrote to memory of 2736 2808 XClient.exe 44 PID 2808 wrote to memory of 696 2808 XClient.exe 46 PID 2808 wrote to memory of 696 2808 XClient.exe 46 PID 2808 wrote to memory of 696 2808 XClient.exe 46 PID 2944 wrote to memory of 1944 2944 taskeng.exe 48 PID 2944 wrote to memory of 1944 2944 taskeng.exe 48 PID 2944 wrote to memory of 1944 2944 taskeng.exe 48 PID 2944 wrote to memory of 2428 2944 taskeng.exe 51 PID 2944 wrote to memory of 2428 2944 taskeng.exe 51 PID 2944 wrote to memory of 2428 2944 taskeng.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Files To Use.exe"C:\Users\Admin\AppData\Local\Temp\Files To Use.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\idk.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\idk.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\XClient.exe"C:\Windows\XClient.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\XClient.exe"4⤵
- Creates scheduled task(s)
PID:696
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAeABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAYwBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdQBrACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Umbral.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2888
-
-
C:\Windows\Umbral.exe"C:\Windows\Umbral.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAaAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AagB3ACMAPgA="1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\system32\taskeng.exetaskeng.exe {37C4288D-38D2-4AD8-91C9-0F8B46A9859E} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\XClient.exeC:\Users\Admin\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Users\Admin\XClient.exeC:\Users\Admin\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD5c0dcbe72b03d07c8dc99e98a1f7027f3
SHA1e9f4d3490820dcc2a31211078418464f0522825c
SHA256d603c0ae2621a2b019f81bc6b69562715dc3762410f54833a27bb8534ab11f17
SHA512d3e9478f4c7cd7cd7c81cccb552c0d3219ffb496203b3d5ce155601be70671cb2f4095375fae73649db076f74dcb9459970ce087820d65c419996820743d6cfe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54dc63422e7e037dbf92fbc9acc29ae10
SHA10efa6479efbadc1e61cb14d56a85bee28ccaa294
SHA25610b6051133ea8732b17498583c78b44440061d679f2858b0352b07e1a16f340d
SHA512fc5260b53dec3374035085090609ec07c18b3fbcf56ab19d94f6d161460650988d4e1c0551b6ce956dcc4e895daa28df1b0b1199948d004d71bb3afa0687f811
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ebd0dac9a4649bcb3e1357d1db53358d
SHA180c5e5d294897a18222816eb2f04409e73e01b34
SHA256ccc703ba010caed2b3a1bc1db548dc48b2107ae576db26b96605330d87aa9048
SHA5124f992ba5fad6f195107b3d66c56b71614df773e5805c7eede61984bd95f9cc17a500f915606d658be87e398cb06c0b30a07ba89a250d76bc0072e39ef55309fa
-
Filesize
232KB
MD52483d9350df5eedfbf7de1d5f5b5ed4f
SHA1724476e281551b918aa913eef34b3cc78b3b0fba
SHA256d9d1f6f62443d226c14762e891663a56d20257512a56b3b139d6b8b151333902
SHA512decfaddad857c5b540bbce3b732eee4b2d14e05fca44bf06204d83cd59d5dc370e8186ac858ab6a2e9b6592fa0114e96f5fc939d33643bceb0e3042290cbc588
-
Filesize
139KB
MD5eeb1e0c9689813f31b9343718129d941
SHA1db8a235940c1f19428fa189426a8101b09b71acd
SHA256c74b72024ec217e1a9402d9cbe89cd70953822dde297222cfb5f053cd9569f97
SHA512cccd9a67bf7a6f4bdb26ac54bd880c778dd74f503e4f340cb10fed5497c2fa3c0dd42c5374bd70d95ca6d5969bf11c2ada2c5b9aaafb632c9725120a1baa62bd
-
Filesize
74KB
MD5a15a8f6157c41ab4fa9ee326f3d97f50
SHA1e6b3b8c5545203d417028cf0bc3d6ac52019ab03
SHA25690762c84491981a3732f8a7953148ad833a13bc029b641483476089ac0b4bd7f
SHA51286b190956b936be0540e725bcfe3623ed00c63ea9ef5317e571e5b85681a830c3f42e4b9251840818cd66241471c5d3a40137d9d1da969495ee873d16207e2c6
-
Filesize
239KB
MD563a373c7a48ef4b85579d498388bacca
SHA1c8b2f34ad29df1b4f7319ed62c718d9195cc2a1a
SHA256bd4ace88c87bfae2a0be0943f2d7cbc7abe9f940fb426d07e46001d9f614d6d7
SHA512a9be9b671a8305c0d63e2467643ce5dd0d65b34e834ea78155fdf80745e8da85c5587813176c1f559f9e180a46a595dfbf8de029e8f0ff3cad77fae95f461dcf
-
Filesize
223KB
MD5c1178639cb668a9498b72092a75c5618
SHA181f97024e38c076b8dbd85ddedaa3759ac97edcd
SHA25690c6335e8ed13fe22db2e3a8cc8b4697fb0df87d94d5d4deb437e78306a8318b
SHA512708edd2d60cd11341e80365d326ff34748bd6fda9581ae65d24bf60340a8e4eef70befc0d5333057e2583c5cc6a26cdad646598309822dc8964cf9ddb8e927c7
-
Filesize
79KB
MD5824955d7d5e92b99feee38b38315e3d6
SHA12afc235f7c0efc4148ff1b374104d694559ea5f6
SHA2567aa0041265c558f803a761a2a0acb80979751546520cd89586c1c069e79741eb
SHA512dd5ad749e5fdc63ecbf6530926f37452129b79a61e1266d0a7e10c1d4b883f461c39f282e2815f1f078fa233acc132d797469caae85f73807db196f3f9c0a94e