Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:05
Behavioral task
behavioral1
Sample
a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe
Resource
win10v2004-20240226-en
General
-
Target
a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe
-
Size
177KB
-
MD5
0bebcc64ad6ab3aed9b2a5b783db1b7a
-
SHA1
2c4f870a2c89299b638668e868fc1ece233df2df
-
SHA256
a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b
-
SHA512
6fb4dafe91444d348afe91eb360bd18abc745268974864ca8e99f4d64f7a5ed4eced40ec2462b9347092916ed914f0bc82a7462f436c3c0bc572d5669d82f17b
-
SSDEEP
3072:ksYkcYIUQObxophkyWOVotM+lmsolAIrRuw+mqv9j1MWLQh:nVIabOLyG+lDAA
Malware Config
Extracted
xworm
uk2.localto.net:32941:443
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/1684-0-0x0000000000B40000-0x0000000000B72000-memory.dmp family_xworm behavioral1/files/0x000b000000012259-60.dat family_xworm behavioral1/memory/2760-62-0x0000000000D30000-0x0000000000D62000-memory.dmp family_xworm behavioral1/memory/1440-66-0x00000000012B0000-0x00000000012E2000-memory.dmp family_xworm -
Detects Windows executables referencing non-Windows User-Agents 4 IoCs
resource yara_rule behavioral1/memory/1684-0-0x0000000000B40000-0x0000000000B72000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/files/0x000b000000012259-60.dat INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2760-62-0x0000000000D30000-0x0000000000D62000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1440-66-0x00000000012B0000-0x00000000012E2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe -
Executes dropped EXE 2 IoCs
pid Process 2760 svchost.exe 1440 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2732 powershell.exe 2496 powershell.exe 672 powershell.exe 1812 powershell.exe 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe Token: SeDebugPrivilege 2760 svchost.exe Token: SeDebugPrivilege 1440 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2732 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 29 PID 1684 wrote to memory of 2732 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 29 PID 1684 wrote to memory of 2732 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 29 PID 1684 wrote to memory of 2496 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 31 PID 1684 wrote to memory of 2496 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 31 PID 1684 wrote to memory of 2496 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 31 PID 1684 wrote to memory of 672 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 33 PID 1684 wrote to memory of 672 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 33 PID 1684 wrote to memory of 672 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 33 PID 1684 wrote to memory of 1812 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 35 PID 1684 wrote to memory of 1812 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 35 PID 1684 wrote to memory of 1812 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 35 PID 1684 wrote to memory of 1820 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 37 PID 1684 wrote to memory of 1820 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 37 PID 1684 wrote to memory of 1820 1684 a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe 37 PID 2908 wrote to memory of 2760 2908 taskeng.exe 42 PID 2908 wrote to memory of 2760 2908 taskeng.exe 42 PID 2908 wrote to memory of 2760 2908 taskeng.exe 42 PID 2908 wrote to memory of 1440 2908 taskeng.exe 43 PID 2908 wrote to memory of 1440 2908 taskeng.exe 43 PID 2908 wrote to memory of 1440 2908 taskeng.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe"C:\Users\Admin\AppData\Local\Temp\a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"2⤵
- Creates scheduled task(s)
PID:1820
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {00A28DCE-C0F2-4046-8892-CFDD5A9D05BC} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD50bebcc64ad6ab3aed9b2a5b783db1b7a
SHA12c4f870a2c89299b638668e868fc1ece233df2df
SHA256a7903a792f681e00d5c41c11bcb041227a13f16f4f1f5fde1bdb1722c2f7085b
SHA5126fb4dafe91444d348afe91eb360bd18abc745268974864ca8e99f4d64f7a5ed4eced40ec2462b9347092916ed914f0bc82a7462f436c3c0bc572d5669d82f17b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD504e3eac1396f57eb08d70f5f28252ff5
SHA14fb520b92360152d605a54da7b37406d198840f3
SHA2568a91bfa2ad0dce16905b80b93fab019c96aa96d448439f99cb465d9fea6e6ded
SHA5126d0cf9b1fbb01c61a11b6dda7e820529f375d6bb7c78fd8bb1f4cfdff9952f2a912588a75b2e717a54855d9e491ddbd15e54968fd56c6050348226f19dcdd791