Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1193s -
max time network
1188s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 23:47
Behavioral task
behavioral1
Sample
tjworkaround.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tjworkaround.exe
Resource
win10v2004-20240226-en
General
-
Target
tjworkaround.exe
-
Size
38KB
-
MD5
316c7a42c30ac83066309fc491247084
-
SHA1
3f2bcacddee6346caa95ba736f97009e5aba0f39
-
SHA256
41cea90b8e919a1217ccfdcad71be256a50755aca407f1479d63d2e1d35d4194
-
SHA512
d5d62da7ad000d36ddae35c8e961ac1c3a253760c5c9e1fcb9d29248f08feaddebc687a520d5961435b71c3da04d5337d541d339eb6f77453284283946af22c4
-
SSDEEP
768:ypz4jeFbyWunfc5NiJQQW7FWPA9xViOMh0jf:yqCbZUxN+FR9xViOMyj
Malware Config
Extracted
xworm
5.0
127.0.0.1:12397
147.185.221.19:12397
bay-currencies.gl.at.ply.gg:12397
mrHCROvGwsLfwHBw
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/560-0-0x0000000000950000-0x0000000000960000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjworkaround.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjworkaround.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" tjworkaround.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe 560 tjworkaround.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 560 tjworkaround.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 560 tjworkaround.exe Token: SeDebugPrivilege 560 tjworkaround.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 560 tjworkaround.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tjworkaround.exe"C:\Users\Admin\AppData\Local\Temp\tjworkaround.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:560
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:3808