Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1191s -
max time network
1199s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 23:47
Behavioral task
behavioral1
Sample
tjworkaround.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tjworkaround.exe
Resource
win10v2004-20240226-en
General
-
Target
tjworkaround.exe
-
Size
38KB
-
MD5
316c7a42c30ac83066309fc491247084
-
SHA1
3f2bcacddee6346caa95ba736f97009e5aba0f39
-
SHA256
41cea90b8e919a1217ccfdcad71be256a50755aca407f1479d63d2e1d35d4194
-
SHA512
d5d62da7ad000d36ddae35c8e961ac1c3a253760c5c9e1fcb9d29248f08feaddebc687a520d5961435b71c3da04d5337d541d339eb6f77453284283946af22c4
-
SSDEEP
768:ypz4jeFbyWunfc5NiJQQW7FWPA9xViOMh0jf:yqCbZUxN+FR9xViOMyj
Malware Config
Extracted
xworm
5.0
127.0.0.1:12397
147.185.221.19:12397
bay-currencies.gl.at.ply.gg:12397
mrHCROvGwsLfwHBw
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2660-0-0x0000000000920000-0x0000000000930000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjworkaround.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjworkaround.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" tjworkaround.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe 2660 tjworkaround.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 tjworkaround.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2660 tjworkaround.exe Token: SeDebugPrivilege 2660 tjworkaround.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2660 tjworkaround.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tjworkaround.exe"C:\Users\Admin\AppData\Local\Temp\tjworkaround.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2660
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253B
MD55f1391d02f5dc8a87eb47869f3af5dbb
SHA116ce1a19206cb7f55b1e3431d0cbe7acc0446ade
SHA256fd0241a7d8c6716a81afb063bb2c3a2022d5fa70aba045c439ce9ea2b15e826a
SHA5129a7c52775f2551bbf758d0516c2636f19feceba4b6c301acde24cdeda80fabf80054abb80a23dffe3a896725f4bc5e6b7fdc0f2e1f921206af189b4d48473669